◆ Health care data breaches will have cost the industry $4 billion by the end of 2019, and 2020 is likely to be worse, reports a new survey from Black Book Market Research LLC.[1] The survey, which queried more than 2,875 security professionals from 733 provider organizations to identify gaps, vulnerabilities and deficiencies, found that virtually all information technology professionals agree that data attackers are outpacing medical enterprises. Health care providers continue to be the most targeted organizations, accounting for nearly four out of every five breaches, the survey found. More than 93% of health care organizations have experienced a data breach since the third quarter of 2016, and 57% have had more than five data breaches during that time frame. More than half of provider breaches were caused by external hacking, the survey found.
◆ A private practice providing mental health services in Durham, North Carolina, says it became aware of potential unauthorized access to patient information when its practice employees were forced to evacuate their office due to a severe gas explosion next door.[2] On April 10, the building adjacent to the office for Main Street Clinical Associates PA suffered a gas explosion. Main Street employees did not have the chance to properly store and secure patient information when they evacuated, the practice says. At the time of the evacuation, certain patient files in use were left open, and the file room containing patient records was unlocked, the practice said, adding, “Due to the nature and extent of the damage to the building, Main Street’s employees were prohibited from reentering the building until September 9, 2019.” Upon reentry, Main Street employees discovered that looters had unlawfully entered the office and stolen two laptop computers, a clinician’s cell phone, and a printer that stored patient information. The computers and the cell phone and the client files stored on them were password protected. Main Street believes the unauthorized access to the building occurred sometime between July 15 and Sept. 9. “Although they cannot confirm whether any protected health information was actually accessed, viewed, or acquired without authorization, Main Street is providing this notification out of an abundance of caution, because such activity cannot be ruled out,” the practice’s notice said. Information that may have been compromised included patient names, driver’s license numbers, Social Security numbers, health insurance information, and diagnosis and treatment information. The investigation into whether the devices have been accessed without authorization is ongoing.
◆ The University of North Carolina (UNC) at Chapel Hill School of Medicine has begun notifying 3,716 patients that their protected health information may have been exposed in a phishing attack that involved some of the school’s accounts.[3] “A leading independent forensic firm conducted a lengthy and extensive review that concluded on Sept. 13, 2019, and confirmed that an unauthorized third party gained access to several email accounts during the approximate timeframe of May 17, 2018 to June 18, 2018,” the school of medicine’s statement said. “This review confirmed that some patients’ personal information was contained in the affected email accounts, possibly related to treatments received when they were seen by a UNC physician.” Information that may have been compromised included patients’ names and dates of birth, and demographic data such as addresses, health insurance information, health information, Social Security numbers, financial account information and credit card information, the school said, adding that “the unauthorized third-party access was limited to the affected email accounts and did not impact medical record systems or patient care systems maintained by UNC Health Care. Information technology security teams continue to monitor relevant systems for unauthorized activity.” UNC School of Medicine said that it has implemented multifactor authentication to increase the security of its email accounts, and has enhanced employee training on phishing recognition and awareness.
◆ A large health provider in southern Maine says the personal health information for around 30,000 of its patients may have been exposed in an email data breach.[4]According to a Nov. 5 statement, InterMed PA first learned about the unauthorized access to one of its employee’s email accounts on Sept. 6. InterMed said it took immediate action to secure the account and hired a forensics team to investigate. The investigation found that three other employee email accounts also were compromised. In total, the email accounts contained information on roughly 30,000 of the provider group’s patients. Information that was compromised included patient names, dates of birth, health insurance information and clinical information. For “a limited number” of patients, Social Security numbers also were exposed.
◆ New research finds that the timeliness of care deteriorates and the overall death rate among heart attack patients increases slightly following a data breach at the treating hospital.[5] The study, published in Health Services Research, looked at remediation efforts and their impact on hospital quality. The study found that hospital time-to-electrocardiogram (ECG) increased as much as 2.7 minutes, and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the three-year window following a breach. The study authors speculate that the reason for the changes is increases in security. “For example, stricter authentication methods, such as passwords with two-factor authentication, are additional steps that slow down workflow in exchange for added security,” the study said. “Lost passwords and account lockouts are nuisances that may disrupt workflow.” The authors added that the persistence in the “longer time to ECG” measure suggests a “permanent increase in time requirement due to stronger security measures.”
◆ Data breaches at pharmacy benefit management company Magellan Health Inc. breached the private information of nearly 90,000 Florida Blue[6] and TennCare[7] members in total, the insurers say. Private information that potentially was compromised includes names, Social Security numbers, member IDs, health plans, provider names and the names of prescribed drugs. The breaches occurred several months ago, but none of the companies involved disclosed them until Nov. 8. Florida Blue said that “less than 1 percent” of its approximately 5 million members were affected. The Florida Blue breach, which reportedly occurred on May 28, was traced back to an employee who handles the healthcare provider’s member data. Magellan believes the employee’s email was hacked in a phishing scam. TennCare’s breach involved nearly 44,000 people. An investigation into the incidents found no evidence that the hacker tried to use the information in the employee’s email.
◆ Aegis Medical Group in Lake County, Florida, said that an employee, who has since been fired, inappropriately accessed account information of some patients and tried to sell the personal information, including names and Social Security numbers, of at least two patients to third parties in an attempted identity theft or financial fraud.[8] The improper access occurred between July 24 and Sept. 9. Affected patients have been notified, according to the medical group, and have been advised to monitor their bank accounts and credit cards, place fraud alerts with the credit bureaus, and create an Identity Theft Report by filing a complaint with the Federal Trade Commission and local police departments.
◆ Kaiser Permanente said that a data breach left personal information on 990 Sacramento, California, patients exposed to an unknown and unauthorized individual for around 13 hours.[9] “The exposure was identified by an IT security process and corrected immediately upon discovery,” said Angela Anderson, Kaiser’s regional compliance director and privacy and security officer for Northern California, in an email sent to The Sacramento Bee. “We do not have any evidence that the information was viewed, used or copied.” In a letter to Kaiser members issued Sept. 27, Anderson said that the unauthorized individual had access to a Sacramento-area provider’s email account, and that data in the email account included names, dates of service, ages, dates of birth, genders, provider names, provider comments, payer names, diagnoses, medical histories, benefit information, insurance coverage statuses, and services provided.
◆ Salem Health Hospitals & Clinics, based in Salem, Oregon, said in a letter to patients that it had suffered a breach in August.[10] “On August 1, 2019, we learned that an unauthorized individual gained access to a limited number of employee email accounts on July 31,” the letter stated, noting that the health system “immediately took steps to secure the accounts and began an investigation, which is ongoing.” The investigation hasn’t been able to determine whether the unauthorized party actually viewed any emails or attachments, and Salem Health is in the process of reviewing all the emails in the attachments to identify patients whose information may have been accessible to the unauthorized person. “We expect that some patient information is contained in the accounts, including patient names, dates of birth and information about care they received at Salem Health,” the letter said.