Round Up of Recent Healthcare Data Breaches

Here’s a summary of the healthcare data breaches reported to OCR by healthcare providers and business associates of HIPAA covered entities in the past two weeks.

26-Month Malware Infection of Tillamook Chiropractic Clinic Discovered

Oregon-based Tillamook Chiropractic Clinic’s system was discovered to have been infected by malware, resulting in the theft of the health information of 4,058 patients. The clinic became aware of the malware on its system on August 3, 2018 during an internal security audit. The malware was installed despite having a firewall, anti-virus and anti-malware software installed and its computers and servers being fully patched.

Upon investigation of the security breach, it was found that the malware was installed on its insurance billing system on May 24, 2016. The attackers used the system as a staging area for collecting patient data before exfiltration. For 26 months this security breach was not detected.

The stolen information includes full names, home and work addresses, birth dates, telephone numbers, diagnoses, laboratory test results, prescribed medicines, driver’s license numbers, insurance billing data, bank account numbers, bank routing numbers, employee payroll details, and Social Security numbers of Medicare patients.

Tillamook Chiropractic Clinic eliminated the malware  on August 3, 2018 and upgraded its network security systems to prevent further malware infections.

Potential Hacking at Gwinnett Medical Center Investigated

A potential data breach is being investigated at Gwinnett Medical Center (GMC) in Lawrenceville, GA. Gwinnett Medical Center spokeswoman Beth Hardy said that an unauthorized person accessed the PHI of around 40 patients. The names, birth dates and genders of 40 patients were also disclosed on Twitter by the attackers following an alleged cover-up of the breach. Patients have now been notified of the exposure of their data.

However, it’s possible that the breach is more serious. According to Salted Hash, which allegedly spoke with an source at the medical center, the breach potentially impacted hundreds of patients. Gwinnett Medical Center has notified the FBI about the breach and investigations are still ongoing.

19,000 People Affected by Toyota Industries North America Breach

Toyota Industries North America (TINA) based in Columbus, IN has notified roughly 19,000 present and past employees and health plan members of the TINA group of companies about the exposure of some of their protected health information (PHI) after it was discovered that an unauthorized person had gained access to certain company email accounts and possibly viewed/copied PHI.

TINA discovered the breach on August 30 and security experts were immediately called in to investigate the data breach. The compromised email accounts contained PII and PHI including full names, home addresses, email addresses, birth dates, telephone numbers, financial account details, social security numbers, images of social security ID, driver’s license numbers, images of driver’s licenses, birth certificates, passports, treatment details, prescription details, diagnoses, health plan beneficiary numbers and portal usernames, security questions and passwords.

All persons affected by the breach have been notified by mail. TINA has also offered 12 months of complimentary credit monitoring and identity theft protection services. Steps have now been taken to enhance security, such as using multi-factor authentication, having real-time security checks, and revising password protection and resetting policies. To reduce the risk of email breaches, TINA is also updating user training and security practices.

722 Patients Impacted by Kansas City Business Associate Mailing Error

Pulse Systems, a revenue cycle management firm based in Kansas City, MO, has notified 722 patients of Lincoln Pulmonary and Critical Care in Nebraska that some of their PHI has been impermissibly disclosed. The breach was due to an error made sending statements on July 27 which resulted in them being sent to incorrect recipients. The statements contained information such as patients’ names and procedure details. Pulse Systems reports that changes have been made to prevent similar errors from occurring in the future.

813 Persons Affected by Oklahoma Department of Human Services Mailing Error

Oklahoma Department of Human Services (ODHS) has notified over 800 parents and guardians engaged in a developmental disabilities services program that some of their PHI has been impermissibly disclosed because of an error in computer software. Because of the error, the envelopes used to send the Plan of Care change notice mailings from May 17 to July 25 were mis-addressed.

The information contained in the mailings included names, addresses, Medicaid client ID numbers, DHS case numbers, plan of care numbers, dates authorized services were provided, names of providers, and an explanation that the individual is authorized to obtain Medicaid Home and Community-Based Waiver Services. There were no Social Security numbers exposed. According to ODHS, 813 persons received mailings that contained the information of somebody else.