Lost hard drives, email hacks, and more: Last month, 18 different institutions reported breaches.
The Oklahoma State breach and the still-unfolding Allscripts ransomware situation may have taken the healthcare cybersecurity headlines in January, but they were not the only incidents that put health records at risk in the past month. According to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) reporting page, 400,813 individuals were affected by 18 reported breaches, ranging from intentional hacking incidents to lost devices and spilled records.
Entities must notify OCR of any breach compromising 500 or more patient records within 60 days of discovery. Many of the events reported in January may have begun in months before and only been reported after extensive internal investigations. Here’s what healthcare providers (and a pair of insurers) reported in January.
The Oklahoma State University Center for Health Sciences (OSU-CHS) incident accounted for the vast majority (over 279,000) of records compromised in hacking incidents reported to OCR in January. Anhna Vuong, the center’s vice president of external affairs, told Healthcare Analytics News™ that the institution had “no idea at all” who was behind the attack, which targeted folders containing patient billing information for Medicaid enrollees. The attack was first detected in November.
“What we have learned from this is that you have to do daily penetration testing of your servers,” Vuong said.
Also beginning in November, 3 email accounts linked to Onco360 and Caremed Specialty Pharmacy employees were found to be compromised. “On January 8, 2018, it was determined that a limited number of those e-mails may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers of some of the patients receiving services,” the company said in a statement. According to their report to OCR, as many as 53,173 patient records were exposed.
Other providers reporting breaches were Maryland’s Westminster Ingleside King Farm Presbyterian Retirement Communities (5,228 patients) and a Nevada based pediatric and endocrinology clinic (1,021 patients). Florida’s Agency for Health Care Administration also reported a hack that stemmed from a phishing incident that may have exposed as many as 30,000 Medicaid patients’ records.
While hacking incidents account for the greatest volume of patient records compromised, unauthorized access events typically occur at a greater frequency. In January, 7 of 17 reported incidents were the result of such incidents.
Incidents are not considered “breaches” if data access or disclosure was unintentional or inadvertent, though organizations may still report the cases if unsure. They can occur in a number of ways, with an unauthorized employee or associate viewing paper records, electronic health records, or emails containing protected patient information.
Such events are rarely accompanied by public statement or acknowledgement. In January, 1 health plan (Central States Southeast and Southwest Areas Health and Welfare Fund of Illinois; 634 patients) reported an unauthorized access incident, alongside 6 providers:
While the loss or theft of devices containing protected patient information is unfortunately hard to prevent, it can still be quite costly. In 2012, the dialysis chain Fresenius Medical Care suffered 5 unrelated incidents, all in different states, that compromised less than 600 patient records combined. This week, the company agreed to pay HHS a $3.5 million settlement.
Two firms reported losing patient records. DJO Global, maker of surgical devices and implants, reported that it may have lost as many as 1,203 patient product agreement forms that containing information protected by HIPAA. The forms “were likely lost in transit” while being picked up from medical centers in Nevada to be delivered to the company.
A radiology lab in Massachusetts lost a hard drive containing information about every patient it had given a bone density scan since 2010. In total, 9,387 patient records may have been exposed when the hard drive went missing.
“There are no leads on where the hard drive went…We’ve looked everywhere in the building, spoken to every person who works there, and nobody knows,” Brian Parillo, the executive director of Charles River Medical Associates, told the Worcester newspaper Telegram & Gazette.
One theft was reported: a laptop was stolen from the car of a Penn Medicine employee in Philadelphia. The unencrypted device contained personal health data of about 1,000 patients, though no social security numbers or financial information were reportedly involved.
Only 2 providers reported potential HIPAA violations involving the improper disposal of medical information: Western Washington Medical Group in Washington (842 patients) and the Rocky Mountain Women’s Health Center in Utah (1166 patients). Both failed to safely dispose of paper- or film-based patient records.
HHS guidance states that "When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule."
On that front, it would be hard to talk about January breaches without mentioning the Allscripts incident, in which 1,500 or more small practices were locked out of many key health records functionalities due to a SamSam attack that compromised 2 of the EHR company's data centers. Last week, the company was hit with a class-action lawsuit as a result.