PHI

TX data breach incident

June 23rd, 2016

The Texas Health and Human Services Commission possibly suffered data breach which affected  600 individuals. The data breach incident was the result of missing documents. Iron Mountain, one of TX contractors and a document shredding company mentioned that 15 boxes containing client information went missing from the Irving, Fort Worth, and Dallas facilities.

Iron Mountain was hired by the Texas Health and Human Services Commission to destroy the client documents. The missing boxes contained confidential information from individuals who may have applied for medical assistance between January 1, 2008 and August 31, 2009.

Both TX and Iron Mountain did not mention about the reason for misplaced boxes. Affected information included Social Security numbers, addresses, Social Security claim numbers, dates of birth, names, medical record numbers, Medicaid or individual numbers, case numbers, and bank account information.

As per the statement,

“HHSC is committed to ensuring that our clients’ confidential information is secure. The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again. After the investigation is complete, HHSC will review processes and procedures, making any changes needed to prevent this type of event in the future.”

The Texas Health and Human Services Commission reached all affected individuals mentioning them about the healthcare data security incident. They are provided complimentary credit monitoring services for one year. Iron Mountain has taken steps to improve data security measures for confidential information.

“The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again,” explained the statement. “After the investigation is complete, HHSC [Health and Human Services Commission] will review processes and procedures, making any changes needed to prevent this type of event in the future.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Bizmatics and data breach

June 20th, 2016

As per the HIPAA notification letter on the ENT and Allergy Center’s website, yet another medical center suffered potential healthcare data breach due to hacking incident. Affected information included names, addresses, healthcare visit information, and the last four digits of Social Security numbers. The EHR files did not contain credit card numbers or any other financial information.

According to the Office of Civil Rights data breach tool, 16,200 individuals were affected by the healthcare data security incident. Facility mentioned that there EHR vendor’s data servers were attacked by hackers. Servers stored and managed patient files. EHR vendor, Bizmatics discovered the intruder and terminated the access.

Bizmatics mentioned that EHR files may have been viewed or acquired as a result of the possible data breach. It also notified ENT and Allergy Centre but failed to identify which patient files may have been exposed.

Bizmatics reached law enforcement officials and hired a private cybersecurity firm to secure its systems. Investigation is carried by the agency.All affected individuals were notified along with free credit, fraud, and identity-theft monitoring services for a year. A toll-free phone number is also setup to answer questions about the healthcare data security incident. ENT and Allergy Centre mentioned that they are in the process of  implementing safeguards to protect information.

There are several other health care facilities affected by this hacking incident. One example include, Pennsylvania-based Integrated Health Solutions PC incident which affected 19,776 individuals. Also, Southeast Eye Institute PA suffered data breach which affected 87,314 individuals.

According to the ENT and Allergy Center’s website:

We intend to abide by the Final Omnibus Rule of the HIPAA regulations regarding your Protected Health Information, hereafter abbreviated as PHI.  The term PHI refers to your medical records, billing and payment records, your name, address, date of birth, social security number, payment history, the name of your health plan and account number, and other data that identifies you.

We are permitted by law to disclose PHI to you and to anyone who needs it to carry out treatment, payment, or healthcare operations.  We will be required to obtain your signature for authorization to release PHI for most uses unrelated to treatment, payment, and healthcare operations.  We will retain your authorization and provide you a copy if you wish to have it.  PHI will be provided within 30 days of the written request in hard copy form.  Information may be available for transfer onto USB media if the media is provided by the patient.  You may revoke your authorization in writing at any time.

————————————————————————————————————————————————————–

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

EHR vendor and data breach

June 18th, 2016

Healthcare organization, Vincent Vein Center has notified patients of a potential healthcare data breach. The incident was result of the hacking incident at Bizmatics, a vendor who manages EHR for Vincent. Colorado-based phlebology office of the facility mentioned that some of its EHR files were accessed by the outside entity. Unauthorized access was related to PrognoCIS system, a practice management and EHR system serviced by Bizmatics.

The number of affected individuals stands at 2,250 according to the OCR data breach tool. Affected information included names, addresses, health insurance information, health visit and treatment information, and other identifying data, such as Social Security numbers.The PrognoCIS system use to store complete patient files.

Bizmatics mentioned that there has been no indication that Vincent Vein Center’s files were accessed or obtained by the outside party. Also, there are no available reports of information published online.

As per Bizmatics, “cybersecurity firm is hired to investigate the incident. It found out that that cybercriminals had installed malware on its systems to capture user credentials. Affected individuals are contacted about the possible data breach. Also, the facility has established a toll-free number to answer any questions which included identity theft protection resources for patients.”

As noted in Bizmatics’ letter, we have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. VVC is examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate. VVC will make every attempt to prevent further breaches.

“We sincerely regret that this incident has occurred and thank you for your understanding.”

————————————————————————————————————————————————————–

Alertsec is used by organizations that have recognized the need to protect their information  Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

EHR system hacked

June 15th, 2016

A Pennsylvania-based healthcare facility suffered potential data breach when unauthorized users hacked into its EHR system. The system was managed by Bizmatics. The incident has potentially affected around 19,776 individuals as per the Office of Civil Rights (OCR).

Bizmatics found out that an outside entity accessed its systems, which resulted some patient files to be exposed. Affected information includes names, addresses, Social Security numbers, and healthcare visit information.

Bizmatics did not specify if patient records from Integrated Health Solutions PC were accessed during the hacking incident. To be on safer side, healthcare has taken measures to strengthen healthcare data security policies.

“Integrated Health Solutions, values your privacy and deeply regrets that this incident occurred and is working closely with its advisors and Bizmatics to ensure the incident is properly addressed, including, a review of our data security measures in order to help prevent a recurrence of such an attack,” reported the statement. “We have also contacted relevant state and federal authorities regarding this issue.”

It had informed several other organizations of potential healthcare data breaches that left EHR files exposed to outside entities. Bizmatics also suffered data breach early this year.

One example includes that of Florida-based Southeast Eye Institute, PA. It notified 87,314 individuals due to hacking incident which was managed by Bizmatics. Another example involved 19,937 patients at the Pain Treatments Center of America (PTCOA) and Interventional Surgery Institute (ISI) in Arkansas which was affected by data breach.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

UNM Hospital suffers potential data breach

June 13th, 2016

Potential healthcare data breach affected around 2,827 patients. Affected information included names, provider names, dates of service, and descriptions of medical services, such as X-ray or flu shot information, disclosed after their information was mailed to an another address.

According to the reports, facility mistakenly mailed 33 invoice documents to 18 addresses sometime between December 22, 2015 and April 2, 2016. Documents contained patient information for several individuals. The incident was caused by a technical error in the hospital’s billing systems.

Facility mentioned that there is involvement of financial, health insurance, or detailed treatment information. It also didn’t include dates of birth, Social Security numbers, or medical record numbers.

“UNM Hospital is committed to protecting the privacy and confidential health information of all of our patients, and we take this incident very seriously,” said Chief Privacy Officer of the University of New Mexico Health Sciences Center Sarah Morrow. “We have thoroughly investigated and identified the technical issues that lead to the erroneous mailings, and we are monitoring the system to ensure this does not happen again.”

According to the UNM website –

The UNM Health Sciences Center’s most important value is a steadfast duty to improve the health of all New Mexicans. We will serve our patients and the public with integrity and accountability. We will strive as an institution and as individuals to recognize, cultivate and promote all forms of diversity; to fully understand the health needs of our communities; and to advance clinical, academic, and research excellence. We are committed to perform our duties with compassion and respect for our patients, learners, and colleagues; and always to conduct ourselves with the highest level of professionalism.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Stolen logbook and data breach

June 8th, 2016

A physician’s logbook was stolen from a personal vehicle which caused a possible healthcare data breach. According to the reports, approximately 1,000 individuals were affected by the incident. The logbook consists of entires of Carondelet St. Mary’s and St. Joseph’s emergency rooms between October 14, 2015 and March 25, 2015. Affected information included names, dates of birth, ages, genders, hospital names, dates of hospital visits, hospital medical record numbers, hospital identification numbers, and descriptions of medical issues.

The incident didn’t violate the HIPAA rules as physician took the logbook out of the hospital and left it in her person vehicle. But it is not recommended practice.

Trish Markus, a North Carolina-based health-care attorney who focuses on data privacy and security said, “On the bright side, the compromised patient data did not involve Social Security numbers or payment information, making it less likely the patients involved will suffer adverse effects financially. But with details such as the patient’s name, date of birth and medical record number, the thief could attempt to pose as a patient by assuming his or her “medical identity.”

Arizona-based Emergency Medicine Associates published a statement about the possible healthcare data breach. Facility provides ER staffing coverage for the affected emergency departments and Carondelet Health Network deferred all questions to the staffing company.The incident did not involve Carondelet staff.

“The loss of (the logbook), other than the fact that it contains patient information, is probably less problematic for the emergency group from a business standpoint,” she said. “But from a reputational standpoint, obviously it’s never good when you have something like this happen.”

“EMA [Emergency Medicine Associates] takes safeguarding the privacy of its patients’ personal information very seriously,” said Privacy Officer for Emergency Medicine Associates Lori Levine, DO, FACEP, in a news release. “In response to this theft, EMA has reviewed and revised its policies regarding logbooks and provided additional training to its physicians so that incidents like this can be prevented from occurring in the future.”

Additional HIPAA training was conducted and all affected individuals of the potential healthcare data breach were notified.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Mis-mailing and data breach

June 6th, 2016

Coordinated Health Mutual, Inc. recently suffered data breach which affected around 591 individuals  as per the Office of Civil Rights data breach portal. Facility confirmed the healthcare data security breach. The incident occurred after a vendor experienced an internal, electronic sorting issue. Around 650 incorrect or incomplete 1095-B forms were inadvertently printed and mailed.

A 1095-B form is a healthcare insurance form is used to verify individual’s health insurance coverage for a specific amount of time. Individual needs to enter information like dependents on the policy, and the how long the policy was active.

According to the statement, ‘These incorrect or incomplete forms either do not display a policyholder’s dependents at all, or they have incorrect dependents listed. No medical information was included and this information is not publically available; specifically, one policyholder may have the information on the dependents of another policyholder. ‘

Coordinated Mutual Health, Inc. conducted investigation and found that less than 800 dependents were listed on the incorrect policyholder’s form.

“Following an initial assessment and report by our vendor, we alerted all members and appointed brokers of the issue on April 5 and asked that they contact our Compliance Department if they received an incorrect 1095-B form. We are also encouraging members to destroy or return any incorrect forms they may have received.”

Coordinated Mutual Health, Inc. mentioned in the statement about identity protection services offerings to any impacted dependent. Policyholders will also receive their corrected 1095-B forms with instructions on how to enroll in the services.

As per the company website:

HIPAA, which stands for Health Insurance Portability and Accountability Act, is a set of Federal Regulations originally passed in 1996. One component that HIPAA focuses on is Privacy.

So what is HIPAA Privacy all about? HIPAA Privacy is about protecting the confidential nature of an individual’s health information. It is as simple as that.

The Privacy Regulation protects health information relating to past, present or future physical or mental health of an individual. Any health information that can be directly linked or associated with an individual is referred to as “protected health information” or PHI for short. Protected health information can be in written, electronic or oral form. For more information please visit United States Department of Health & Human Services Website.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Employee misuse results in potential healthcare data breach

June 3rd, 2016

Inappropriate access to patient information over seven years has resulted in a possible PHI breach at an Iowan hospital, as per the report.

Around 1,620 patients have been notified by UnityPoint Health-Allen Hospital. Former employee had improperly viewed PHI through the hospital’s EHR system. The employee was allowed access to the EHR system to do her job at that time, but she did not have the authority to view the records for patients who are involved in this healthcare data security event. The employee’s EHR access was terminated as soon as the hospital detected the possible PHI breach and the staff member was disciplined according to hospital policies.

According to the Jim Waterbury, the hospital’s vice president for institutional advancement,  Allen Hospital staff detected inappropriate access to the hospital’s medical records on March 14 and opened an immediate review.

Patients may have had their names, home addresses, dates of birth, health insurance information, and treatment information disclosed in the incident. The report stated that less than 15 percent of affected patients may have had their Social Security numbers viewed.

“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” UnityPoint Health-Allen Hospital’s Vice President for Institutional Advancement Jim Waterbury told The Courier.

Steps been taken by hospital to prevent future healthcare data breaches includes additional training on proper access of EHR systems and performing more audits.

Facility has also provided patients with guidance on other precautionary measures they can take to protect their information, including placing a fraud alert, placing a security freeze and/or obtaining a free credit report.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Connecticut-based podiatry group suffers data breach

June 2nd, 2016

A Connecticut-based podiatry group has been facing a possible healthcare data breach. The incident has impacted approx. 40,491 individuals after hackers accessed network services.Some external party had gained access to Stamford Podiatry Group’s systems, including its EHR database. The intruder is suspected to have viewed patient information between February 22 and April 14, 2016. Healthcare group has ordered a forensic investigation and terminated the unauthorized user’s access to its systems.

“Although we have not been able to confirm that your personal information was accessed and copied, we have not been able to rule out that possibility and encourage you to take … protective measures,” the organization mentioned.

Personal information involved in the healthcare data security event included medical histories, treatment information, names, Social Security numbers, dates of birth, genders, marital statuses, addresses, phone numbers, email addresses, names of doctors, and insurance information.

Stamford Podiatry Group’s Vice President Rui DeMelo, DPM, FACFAS, wrote in the letter “We have also implemented and are continuing to implement additional security measures designed to protect our systems against future intrusions. We have retained cybersecurity experts to assist us in these efforts.”

While there is no evidence yet that the personal information is being misused, the organization is still offering its patients a year of credit monitoring. Healthcare group has attempted to notify all affected patients. Individuals have also been advised by Stanford Podiatry Group to monitor financial and medical accounts for potential identify theft.

According to the recent reports by Department of Health and Human Services Data, more than 120 million people have been affected in more than 1,100 separate breaches at organizations handling protected health data since 2009.

“That’s a third of the U.S. population — this really should be a wake-up call,” said Deborah Peel, the executive director of Patient Privacy Rights.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deploymentand management of PC encryption by using industry leading Check Point Full DiskEncryption software.

Hacking incident and data breach

May 24th, 2016

Indiana-based Lafayette Pain Care PC recently suffered probable data breach after an outside entity accessed some patients EHR data. According to the OCR data breach portal, around 7,500 individuals were affected by the possible PHI breach.

As per the statement, “Lafayette Pain Care’s EHR management vendor experienced a hacking incident that could have resulted in some patient files being exposed to intruders. The potential healthcare data breach affected multiple EHR systems across the country, confirmed the statement.”

“All this said, our electronic medical records provider has informed us that it is not aware of any evidence that our patient records were in fact accessed or acquired by any unauthorized persons,” as per the website.

Lafayette Pain Care has notified affected individuals and has asked patients to monitor their credit accounts. It also advised to report any suspicious or inappropriate activity. It has also offered free credit monitoring services to affected and verified patients.

“We do recommend that our patients check with their local credit bureau or credit monitoring agency (such as TransUnion, Experian, or Equifax) for any unauthorized activity with their credit or identity. Patients can also utilize the site www.annualcreditreport.com to review their credit report annually.”

“If any unauthorized activity is noted, it should be reported appropriately. We recommend that all persons receiving medical or surgical care, regularly review their Explanation of Benefits forms to confirm the accuracy of included listed services.”

According to the statement:

Lafayette Pain Care is pleased to welcome new patients to our practice. As a valued customer of our practice, we maintain complete records on you to ensure that we can always communicate with you promptly, treat you in the most appropriate and effective manner, coordinate with your other doctors where needed, and ensure your care is paid for by insurance or other means.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.