January's Health Data Breaches Affected 400,813 Patients

The Oklahoma State breach and the still-unfolding Allscripts ransomware situation may have taken the healthcare cybersecurity headlines in January, but they were not the only incidents that put health records at risk in the past month. According to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) reporting page, 400,813 individuals were affected by 18 reported breaches, ranging from intentional hacking incidents to lost devices and spilled records.

Entities must notify OCR of any breach compromising 500 or more patient records within 60 days of discovery. Many of the events reported in January may have begun in months before and only been reported after extensive internal investigations. Here’s what healthcare providers (and a pair of insurers) reported in January.

Hacking Incidents: 369,287 Patients

The Oklahoma State University Center for Health Sciences (OSU-CHS) incident accounted for the vast majority (over 279,000) of records compromised in hacking incidents reported to OCR in January. Anhna Vuong, the center’s vice president of external affairs, told Healthcare Analytics News™ that the institution had “no idea at all” who was behind the attack, which targeted folders containing patient billing information for Medicaid enrollees. The attack was first detected in November.

“What we have learned from this is that you have to do daily penetration testing of your servers,” Vuong said.

Also beginning in November, 3 email accounts linked to Onco360 and Caremed Specialty Pharmacy employees were found to be compromised. “On January 8, 2018, it was determined that a limited number of those e-mails may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers of some of the patients receiving services,” the company said in a statement. According to their report to OCR, as many as 53,173 patient records were exposed.

Other providers reporting breaches were Maryland’s Westminster Ingleside King Farm Presbyterian Retirement Communities (5,228 patients) and a Nevada based pediatric and endocrinology clinic (1,021 patients). Florida’s Agency for Health Care Administration also reported a hack that stemmed from a phishing incident that may have exposed as many as 30,000 Medicaid patients’ records.

Unauthorized Access Incidents: 17,788 Patients

While hacking incidents account for the greatest volume of patient records compromised, unauthorized access events typically occur at a greater frequency. In January, 7 of 17 reported incidents were the result of such incidents.

Incidents are not considered “breaches” if data access or disclosure was unintentional or inadvertent, though organizations may still report the cases if unsure. They can occur in a number of ways, with an unauthorized employee or associate viewing paper records, electronic health records, or emails containing protected patient information.

Such events are rarely accompanied by public statement or acknowledgement. In January, 1 health plan (Central States Southeast and Southwest Areas Health and Welfare Fund of Illinois; 634 patients) reported an unauthorized access incident, alongside 6 providers:

• High Plains Surgical Associates, Wyoming: 607 patients
• RGH Enterprises, Ohio: 4586 patients
• Gillette Medical Imaging, Wyoming: 4476 patients
• Alicia Ann Oswald (independent chiropractor), California: 800 patients
• Pedes Orange County, California: 917 patients
• Palomar Medical Center Escondido, California: 1309 patients
• QuadMed, Wisonsin: 4549 patients

Loss/Theft: 11,640 Patients

While the loss or theft of devices containing protected patient information is unfortunately hard to prevent, it can still be quite costly. In 2012, the dialysis chain Fresenius Medical Care suffered 5 unrelated incidents, all in different states, that compromised less than 600 patient records combined. This week, the company agreed to pay HHS a $3.5 million settlement.

Two firms reported losing patient records. DJO Global, maker of surgical devices and implants, reported that it may have lost as many as 1,203 patient product agreement forms that containing information protected by HIPAA. The forms “were likely lost in transit” while being picked up from medical centers in Nevada to be delivered to the company.

A radiology lab in Massachusetts lost a hard drive containing information about every patient it had given a bone density scan since 2010. In total, 9,387 patient records may have been exposed when the hard drive went missing.

“There are no leads on where the hard drive went…We’ve looked everywhere in the building, spoken to every person who works there, and nobody knows,” Brian Parillo, the executive director of Charles River Medical Associates, told the Worcester newspaper Telegram & Gazette.

One theft was reported: a laptop was stolen from the car of a Penn Medicine employee in Philadelphia. The unencrypted device contained personal health data of about 1,000 patients, though no social security numbers or financial information were reportedly involved.

Improper Disposal: 2,008 Patients

Only 2 providers reported potential HIPAA violations involving the improper disposal of medical information: Western Washington Medical Group in Washington (842 patients) and the Rocky Mountain Women’s Health Center in Utah (1166 patients). Both failed to safely dispose of paper- or film-based patient records.

And Ransomware...

HHS guidance states that "When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule."

On that front, it would be hard to talk about January breaches without mentioning the Allscripts incident, in which 1,500 or more small practices were locked out of many key health records functionalities due to a SamSam attack that compromised 2 of the EHR company's data centers. Last week, the company was hit with a class-action lawsuit as a result.