MaineGeneral, FBI probe cyber attack
Dec. 8: MaineGeneral Health CEO Chuck Hays provided details of a cyber attack on the health system's network that has put patient data at risk and involved an FBI investigation.
Full story.
Insurance company pays $3.5M HIPAA settlement for poor PHI protections
Dec. 4: Triple-S Management Corporation has agreed to settle potential HIPAA violations with the U.S. Department of Health and Human Services' Office of Civil Rights to the tune of $3.5 million, after repeatedly failing to put safeguards in place for its beneficiaries' PHI.
Full story.
Lahey pays $850K for 'widespread' HIPAA non-compliance
Nov. 30: Lahey Hospital and Medical Center has settled with the U.S. Department of Health and Human Services' Office for Civil Rights for potential HIPAA violations related to lax security.
Full story.
Keystroke logger detected on hospital's computers
Nov. 16: A hospital in Kentucky is notifying patients of a security incident, after it was discovered that some of its computers had been infected with a keystroke logger designed to capture and transmit data as it was typed.
Full story.
Sutter Health says data on 2500 patients involved in potential breach
Sept. 16: Hospital operator Sutter Health last week said personal information on more than 2,500 patients was improperly emailed by a former employee in 2013, representing a possible breach of patient data. The possible breach is the latest privacy violation for the major California-based health system.
Full story.
Excellus BlueCross BlueShield cyberattack impacts 10.5M people
Sept. 10: Hackers had unfettered access to Excellus BlueCross BlueShield's information systems for more than a year and a half before the health plan even noticed the cyberattack had occurred.
Full story.
Sony HIPAA breach lawsuit approaches settlement
Sept. 4: Plaintiffs who slapped Sony Pictures with a class action lawsuit after their detailed medical records were swiped in a cyberattack last November have finally reached an agreement on a proposed settlement.
Full story.
Oncology group slapped with $750K HIPAA fine
Sept. 2: Cancer Care Group, a large radiation oncology practice in Indianapolis, is reevaluating its privacy and security practices after it was slapped with a $750,000 HIPAA settlement from the Department of Health and Human Services. It agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago.
Full story.
HIPAA breach for hospital after worker swiped patient data
Aug. 28: A 12-hospital health system is notifying hundreds of its current and former patients that their protected health information has been compromised after discovering an employee was involved in identity theft.
Full story.
VA's use of Yammer made for PHI, data security risk
Aug. 27: It turns out the Department of Veterans Affairs uses a Web-based communication platform that isn't exactly secure. In fact, a new report suggests VA practices in this case put protected health information at serious security risk.
Full story.
Snooping employees sacked, disciplined after HIPAA breach
Aug. 21: After 14 of its employees were found to have accessed a high-profile patient's medical records "without a legitimate patient care need," the nine-hospital Carilion Clinic in Roanoke, Va., is sending a clear message that this behavior will not be tolerated.
Full story.
Coding update makes for HIPAA breach blunder
Aug. 18: Colorado Department of Health Care Policy and Financing has notified 1,622 households, about 3,000 individuals according to a CBS report, that their protected health information, names, addresses and employment/income data were compromised following a coding error.
Full story.
Russian hackers hit DoD: PHI at risk?
Aug. 7: The Pentagon confirmed late Thursday that Russian hackers penetrated the Defense Department's IT networks and gained access to Joint Chiefs of Staff email servers.
Full story.
Update: Hackers hit business associate, swipe PHI and Social Security numbers
Aug. 5: Medical Informatics Engineering, the Fort Wayne, Ind.-based electronic health record provider and parent company of NoMoreClipboard, is updating an earlier breach notification with additional details, specifically how many were impacted. Some 3.9 million individuals had their data compromised in the breach.
Full story.
Hackers swipe data of 4.5M at UCLA Health System in massive cyberattack
July 17: The four-hospital UCLA Health System on Friday notified a staggering 4.5 million of its patients that their protected health information and Social Security numbers were compromised following one of the largest HIPAA breaches ever reported.
Full story.
Hospital with repeat security failures hit with $218K HIPAA fine
St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations.
Full story.
Hospital draws HIPAA heat after NFL medical record tweet
July 9: An employee at Jackson Memorial Hospital reportedly leaked the medical record of Jason Pierre-Paul, the defensive lineman star for the New York Giants, to an ESPN reporter, who then posted a portion of the player's medical record online. The medical record posted to Twitter confirmed that Pierre-Paul had his right finger amputated at the hospital, a procedure reportedly attributed to a July 4 fireworks mishap.
Full story.
Hospital employee indicted for fraud after swiping data of 12K
June 22: Manhattan's district attorney last week announced the indictment of Monique Walker, 32, a former assistant clerk at the eight hospital Montefiore Health System, for swiping patient data and supplying it to an identity theft ring. Walker, who had access to patient names, Social Security numbers, dates of birth, among others, reportedly printed the records of as many as 12,000 patients and supplied them to seven other individuals who used the data to make multiple purchases from department stores and retailers.
Full story.
State agency HIPAA security gaffe puts patient data on the Internet
June 12: The Texas Department of Aging and Disability Services, a state agency responsible for administering support and services for the aging individuals and people with disabilities, announced June 11 a data breach following the "unintentional release" of personal data. The breach impacted 6,600 of its Medicaid recipients, state officials said, including the compromise of their names, dates of birth, addresses, Social Security numbers, Medicaid numbers and clinical diagnoses and treatment information.
Full story.
Health system's data breach insurance claims get challenged
June 1: The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.
Full story.
Hackers hit health system, swipe data on 220K
May 27: Officials at Beacon Health System in South Bend, Indiana, posted a breach notification May 22 on its website, detailing a phishing attack that started back in November 2013 where unauthorized individuals gained access to Beacon employees' email accounts. Hackers had full access to these files from November 2013 to January 2015.
Full story.
Coast Guard hit for slack PHI security
May 21: The Department of Homeland Security's Office of the Inspector General, an independent government watchdog, has found the Coast Guard seriously lagging in its efforts to protect personal health information. The problem in a nutshell? It has not made it a health data security a priority.
Full story.
Cyberattackers swipe data of 1.1M at CareFirst
May 21: It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. What's more, the cyberattack wasn't even detected in-house. The Baltimore, Md.-based CareFirst BlueCross BlueShield health plan announced the cyberattack May 20, despite the attack occurring back in June 2014.
Phishing scam breach compromises data of 39K
April 29: The Texas-based Seton Healthcare Family, part of Ascension health system, has notified affected patients after a December 2014 phishing attack compromised an email account. Following an investigation, officials determined at the end of February that the email accounts impacted by the phishing scam contained PHI for 39,000 patients.
Full story.
Health system sees 7th HIPAA data breach
April 24: The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinical data was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
Full story.
Premera Blue Cross hack exposes 11M
April 10: A Florida healthcare worker has been indicted by a U.S. district court for swiping the Social Security numbers and personal data of some 9,000 patients and using them for fraudulent purposes.
Full story.
Healthcare insider snoop indicted for fraud scheme
March 18: In what looks to be becoming a trend, another health plan has been targeted with a "sophisticated cyber attack," with hackers gaining access to the financial and medical information of 11 million members. Washington state-based Premera Blue Cross, a not-for-profit plan whose corporate clients include Pacific Northwest giants Microsoft and Starbucks, announced the breach, which was detected in January, on March 17.
Full story.
Hackers strike healthcare industry again
March 9: The 508-bed St. Mary's Medical Center, part of Ascension Health, is notifying some 4,400 of its patients of a data breach following a cyberattack that occurred back in December. Hospital officials say on Dec. 3 they discovered hackers swiped employee email usernames and passwords. After shutting down the affected accounts, they determined those employee email accounts contained personal patient data of 4,400 individuals, including Social Security numbers, names, dates of birth, insurance information and health data.
Full story.
No encryption means HIPAA breach for 45K
Feb. 10: Some 45,000 people are getting HIPAA breach notification letters after a mental health provider failed to encrypt laptops containing clients' medical data and Social Security numbers. Aspire Indiana, a mental health organization located in central Indiana, has notified 45,030 of its clients and employees after several unencrypted laptops were stolen from its administrative office back on Nov. 7.
Full story.
Hackers swipe Anthem data in massive cyberattack
Feb. 5: In one of the biggest data breaches ever reported – and possibly the biggest ever – Anthem, the nation's second largest health insurer, is notifying as many as 80 million of its members that hackers penetrated its IT systems and swiped personal data.
Full story.
HIPAA breach puts blame on business associate
Feb. 3: The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.
Full story.
EHR audit catches snooping employee
Jan. 26: Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.
Full story.
PHI of 485K swiped in USPS data breach
