HIPAA Data Breaches: 2019 Case Studies
by Jim Moore 11/9/2020
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that protects patient health information (PHI). A HIPAA breach is when PHI is accessible to someone who shouldn’t have access to it.
Some HIPAA breaches happen because an employee was curious. Other HIPAA breaches are simply an innocent mistake, such as when an employee is fooled by a phishing email. But other HIPAA breaches happen because criminals are targeting PHI. Many criminals target PHI because the payout can be 10 times as large as ordinary identity theft. PHI can also be exploited for 4 times longer.
This blog post features HIPAA breach case studies from 2019 covered by Smart Training’s HIPAA Certified Professional, Jim Moore. Here’s the types of 2019 HIPAA breaches you’ll learn about in this post:
- Social Media
- Email phishing
- Unencrypted devices
And in the end, you’ll receive a summary of how expensive HIPAA fines were in 2019.
Andrews Braces Ransomware Attack
Andrews Braces, an orthodontics practice in Sparks, Nevada, suffered a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.
Andrews Braces hired a forensic investigator to assess the scope and extent of the attack and determine whether patient information had been accessed or exfiltrated prior to encryption. While it is not uncommon for ransomware attacks to involve data theft, the investigation did not uncover any evidence to suggest data had been obtained by the attackers. This appeared to be an automated attack with the sole aim of encrypting data to extort money from the practice.
The practice regularly backed up patient data and stored its backups securely, so it was possible to restore the encrypted files without paying the ransom. While data theft is not suspected, the possibility could not be ruled out, and notification letters have been sent to all affected patients.
Debt Collection Breaches Cost Big Money
HIPAA Journal reports that one of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. The number of clients affected by the attack is unknown.
In 2019, the medical debt collection agency, American Medical Collection Agency was attacked with ransomware. Prior to data encryption, approximately 27 million records were stolen, making it the largest data breach of the year. The cost of the attack proved too much, and AMCA was forced into bankruptcy.
With many more clients than AMCA, the R1 RCM ransomware attack has the potential to be far larger.
A Class-Action Lawsuit
Various healthcare organizations continue to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is the latest healthcare provider to face a class-action lawsuit over a ransomware attack.
HIPAA Journal reports that the ransomware attack was detected on April 9, when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information.
Affected patients were notified about the breach on or around June 19 and offered complimentary identity theft and credit monitoring services. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.
Another Class-Action Lawsuit
Another HIPAA class-action lawsuit in the news, following the Hackensack Meridian Health ransomware attack that affects all 17 of its New Jersey hospitals.
The attack disrupted medical services while systems were offline. Systems remained down for several days while data was recovered. Medical services continued to be provided with staff reverting to pen and paper to record patient information. Some non-emergency medical procedures had to be canceled.
While Hackensack Meridian Health apparently took reasonable steps to limit the harm caused to patients and restore systems and data in the shortest possible time, their after-the-fact effort was not enough to prevent legal action.
Don’t Share Patient X-rays!
HIPAA Journal reports that a non-physician employee of Quantum Imaging and Therapeutic Associates, a physician-owned radiology group in Pennsylvania, allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group.
Of course, the sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said, “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports.” No further information has been released about the breach pending the results of the investigation.
The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by thousands of people.
Breach Affects 60K Patients
HIPAA Journal reports that an unauthorized individual gained access to computer systems at Allergy and Asthma Clinic in Fort Worth and may have obtained patients’ billing information. The breach was detected on June 4th, two weeks after the hacker gained access to the clinic’s network.
The hacker may have accessed files containing patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and information regarding office visits.
The breach report submitted to the Office for Civil Rights indicates that 69,777 individuals were affected by the breach.
Dallas Dental Breach Affects 45K Patients
Jefferson Dental Care Healthcare Management in Dallas says an unauthorized individual accessed the email account of an employee between July 21 and August 26, 2019.
Suspicious email account activity was detected in October and the account was immediately secured. JDH Healthcare Management determined that the account contained the PHI of 45,748 patients.
Names, addresses, dates of birth, medical treatment information, medical histories, health insurance information, payment information, patient numbers, and medical record numbers may have been compromised. Complimentary credit monitoring and identity protection services have been offered to affected patients.
JDH Healthcare Management is reviewing its HIPAA policies and procedures and additional safeguards will be implemented to improve email security.
Banner Breach Settled for Nearly $9m
HIPAA Journal notes that the settlement proposed by Banner Health to resolve a class-action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge.
The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future.
The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers that stored the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The data breach was the largest to be reported by a healthcare organization in 2016 is still one of the 10 largest healthcare data breaches of all time.
The class-action lawsuit claimed “financially motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information.”
Breach in Texas
HIPAA Journal reports that Legacy Community Health in Houston is notifying approximately 19,000 patients that some of their PHI may have been accessed by an unauthorized individual who gained access to the email account of one of its employees.
On April 10, 2020, an employee responded to an email believing it to be a legitimate request and disclosed credentials that allowed the employee’s email account to be accessed. The breach was discovered on April 16th and the email account was immediately secured.
Assisted by a third-party computer forensics firm, Legacy Community Health confirmed the breach was limited to one email account which was found to contain patient names, dates of service, and health information related to the care provided at its clinics. 19,000 patients were notified.
Legacy Community Health is taking steps to improve email security and has enabled multi-factor authentication on its email accounts.
Another Phishing Attack
An Atlanta-based healthcare provider is facing a class-action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, the Aveanna Healthcare breach is one of the largest healthcare data breaches to be reported this year.
HIPAA Journal reports that several Aveanna email accounts were compromised in a phishing attack. The attack was discovered on August 24, 2019; an ensuing investigation revealed the first email account was breached on July 9, 2019, giving attackers access to protected health information for more than 6 weeks. While no evidence was found to suggest patient information was stolen in the attack, it was not possible to rule out the possibility that the attackers exfiltrated email data before they were shut out of the email accounts.
The HIPAA Breach Notification Rule requires patients affected by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be notified about a breach within 60 days. However, Aveanna Healthcare delayed issuing breach notifications to patients until this year and only reported the breach to the HHS’ Office for Civil Rights on February 14, 2020.
More than 100 patients affected by the breach have so far been included in the lawsuit, which alleges that Aveanna Healthcare failed to issue timely notifications and failed to explain what types of information had been compromised. Aveanna Healthcare is alleged to have maintained the private personal and healthcare data of patients “in a reckless manner,” and information stored in its systems was vulnerable to attack as a result.
This breach illustrates the importance of providing HIPAA training to every new and current employee.
Theft Leads to Data Breach
Elf Ridge Dentistry, an Estes Park, Colorado dental practice, reports that a portable hard drive used to store backups was stolen from the practice. The incident has been reported to law enforcement, but the hard drive has not been recovered.
HIPAA Journal notes that the hard drive contained the records of 2,793 patients and included names, addresses, dates of birth, healthcare information, X-ray images, and a limited number of Social Security numbers. Treatment consent forms, referral letters, and emails were also backed up on the device.
Affected patients have been offered complimentary membership to identity theft protection services.
The only way to prevent a similar incident in your practice is to ensure that backup drives are encrypted. Password protection isn’t enough; the drive must be encrypted in order to avoid a breach if the drive is stolen or lost.
$1M Fine for Failure to Remediate
The Office for Civil Rights imposed a $1,040,000 HIPAA penalty on Lifespan Health System following the discovery of systemic noncompliance with the HIPAA Rules.
Lifespan is a not-for-profit health system based in Rhode Island. On April 21st, 2017, a breach report was filed with OCR about the theft of a laptop computer on February 25, 2017.
The laptop had been left in the vehicle of an employee in a public parking lot and contained information relating to 20,431 patients. Through their own Risk Assessment, Lifespan had determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement the remediation measure. As a result, the stolen laptop had not been encrypted.
OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Additionally, Lifespan had not obtained signed Business Associate Agreements from its healthcare provider affiliates.
2019 Summary: Average HIPAA Penalty was $1M
HIPAA Journal reports that 2019 was another heavy enforcement year for HIPAA compliance.
HIPAA enforcement in 2019 by the Office for Civil Rights resulted in 10 financial penalties. $12,274,000 was paid to OCR in 2019 to resolve HIPAA violation cases.
2019 saw one civil monetary penalty issued while settlements were reached with 9 entities. That represents one fewer settlement than in 2018.
In 2019, the average financial penalty was $1,022,833.
Does your Practice need HIPAA help?
Smart Training’s training and compliance packages (Platinum+, Essentials, and Complete Compliance Solution) offer everything your practice needs to reach HIPAA compliance. You’ll get online HIPAA training modules, monthly security meetings, HIPAA policies and procedures, updated HIPAA documents, and depending on your package, your own Compliance Officer.
Request a demonstration today!