We have looked at several different perspectives of healthcare data breach information in recent posts. We are close to combining the observations from all of the previous posts into a full report. In the data from HHS that we have been analyzing, some of the breaches are accompanied with a detailed explanation of the cause and corrective action taken. These give more insight into some of the causes of breaches.
Looking through the details, the causes vary extensively. Some are large, some are small. Some are accidental, and some are intentionally perpetrated by bad actors. Some are over the internet and some are by a staff member at the entity. There are recurring causes of breaches including laptops stolen from vehicles, paper records thrown into the dumpster without shedding, and phishing emails to name a few. Here we look at a few interesting ones to understand some of the less common ways that breaches can occur.
We have removed the names of the entities in this post. They have reported the breach, taken corrective action and have paid in fines and lost business. These entities should be lauded for reporting their breaches. This information helps all members of the community understand the threats and the pitfalls and to take pre-emptive corrective action. We want to focus on the what and why of what happened in these cases to foster thought into preventing future breaches.
There are a few terms we want to clarify that appear frequently in the information. "Covered Entity" (CE) refers to a health care provider, a health plan, or a healthcare clearinghouse that transmits health information electronically. They may work with a person or an entity called a "Business Associate" (BA) that conducts certain functions related to the covered entity. Both the CE and BA are liable to HIPAA rules regarding patient health information (PHI).
PHI blows out of trash truck
Location: FL
Entity Type: Healthcare Provider
Individuals Affected: 483,063
Date Reported: 02/12/16
Breach Type: Loss
Location of Data: Paper/Films
Breach: On December 19, 2015, 12 boxes containing 483,063 patients’ records fell off of the business associate’s (BA) truck and onto the street while being transported to the incinerator. The types of PHI in the records included patients’ names, addresses, dates of birth, social security numbers, claims information, credit card/bank information, diagnosis codes, lab results, and treatment information. A news article on the breach also states "Employees from [the CE] scoured the area on foot, picking up as many of the records as they could find. The company conducted three searches: Dec. 19, the day the records were lost; Dec. 21 and Dec. 22. But because the wind on Dec. 19 reached gusts of up to 28 mph, it's doubtful all the records were retrieved."
Corrective Action: The CE provided breach notification to HHS, affected individuals, and the media and also posted a public notice on its website. It also activated a call center on January 12th, 2016, which provided information about the breach for 90 days, and provided identity protection for one year to the affected individuals. In response to the incident, the CE opened an internal investigation and interviewed all relevant staff and its business associates. The CE ended its business relationship with the BA and improved safeguards by changed the process for records’ destruction. OCR obtained assurances that the CE implemented the corrective actions listed above.
PHI in mailings sent to the wrong address
Location: IL
Entity Type: Healthcare Provider
Individuals Affected: 160,000
Date Reported: 12/15/14
Breach Type: Other
Location of Data: Paper/Films
Breach: The covered entity (CE) mailed patient notification letters to incorrect third parties. The letters included first and last names, addresses, dates of birth, phone numbers, provider names, and details of the vaccines administered and affected approximately 160,000 individuals.
Corrective Action: The CE provided breach notification to HHS, affected individuals, and the media, and placed a public notice on its website. Following the breach, the CE resolved issues in its use of the electronic health record (EHR) that were factors in the breach, updated data in the prescriber database and trained its staff on the new requirements. As a result of OCR’s investigation, the CE improved safeguards by resolving two issues in its use of the EHR.
Disks with PHI lost in transit
Location: PA
Entity Type: Business Associate
Individuals Affected: 130,495
Date Reported: 06/04/10
Breach Type: Theft
Location of Data: Other
Breach: The covered entity's business associate (BA) shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to another covered entity (CE). The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers.
Corrective Action: The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.
PHI stolen by internal actors
Location: FL
Entity Type: Healthcare Provider
Individuals Affected: 64,846
Date Reported: 09/07/12
Breach Type: Unauthorized Access/Disclosure
Location of Data: Paper/Film
Breach: Two employees of the covered entity (CE) printed patients’ face sheets in excess of their job duties and sold them over a period of 19 months before the activity was discovered by police while on an unrelated house raid. Following notification by the police, the CE conducted an internal investigation and determined that the breach potentially involved the protected health information (PHI) of 64,846 individuals. The PHI involved in the breach included demographic and clinical information.
Corrective Action: The CE provided breach notification to HHS, affected individuals, and the media. It also applied sanctions to the involved employees. Following the breach, the CE disseminated educational material to the workforce and reviewed its HIPAA policies and procedures. It also deployed a program which monitors its electronic systems to safeguard against inappropriate use. OCR obtained assurance that the CE took the corrective actions listed above. The CE also confirmed its plan to continue to perform frequent access reviews, periodic audit trail reviews, and to create and retain audit logs for routine analysis.
Accidental internet disclosure of PHI
Location: CA
Entity Type: Healthcare Provider
Individuals Affected: 12,234
Date Reported: 02/15/12
Breach Type: Unauthorized Access/Disclosure
Location of Data: Network Server
Breach: On February 14, 2012, the covered entity (CE) reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines. The server that the CE had purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file-sharing application, the CE did not examine or modify it. Although the CE hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the CE, evidence indicated that this was conducted in a patchwork fashion and did not result in enterprise-wide risk analysis, as required by the HIPAA Security Rule. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
Corrective Action: In addition to the $2,140,500 settlement, the CE has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.
Mislabeled mailings including PHI
Location: AL
Entity Type: Business Associate
Individuals Affected: 1,085
Date Reported: 01/24/14
Breach Type: Other
Location Of Data: Other
Breach: On September 6, 2013, the covered entity (CE), discovered that its business associate (BA) had mislabeled invitations for an event for cancer survivor patients. While the address was correct, the name on the envelope was incorrect for 1,085 individuals.
Corrective Action: The BA re-sent the invitations to the correct names and addresses with a letter explaining the mistake to the affected individuals. In response to the breach, the CE terminated its business relationship with the BA and changed to processing bulk mailings in-house. Although the CE had a policy in place before the breach that clearly outlined breach notification requirements, the CE did not perform media notification after this breach. OCR provided technical assistance on this topic. In addition, OCR obtained assurances that the CE implemented the corrective actions listed above.
PHI accidentally disclosed on the internet
Location: NC
Entity Type: Healthcare Provider
Individuals Affected: 7300
Date Reported: 11/08/13
Breach Type: Unauthorized Access/Disclosure
Location of Data: Other
Breach: On September 11, 2013, a patient of the covered entity (CE), Associated Urologists of North Carolina (AUNC), notified the CE that when he did an internet search for his name he was able to see a list identifying him as an AUNC patient. The CE investigated and discovered that protected health information (PHI) was accessible on the internet from September 17, 2012, to September 11, 2013, and that the breach was due to the way medical notes had been transcribed. An employee uploaded audio files and lists of patients’ names through a file transfer protocol (FTP) site to assist with transcription. The files included the names, dates of birth, phone numbers, referring physicians, chart numbers, and reasons for visits for 7,297 patients.
Corrective Action: In response to the incident, the CE immediately discontinued use of the FTP site, removed all of its files from the insecure website, and contacted Google to have all cached copies of the files removed. The CE also provided breach notification to HHS, affected individuals, and the media and offered free credit monitoring and a toll-free number to answer questions. The CE also reviewed its policies and retrained all staff on it data privacy and information security policies. Additionally, the CE partnered with a security contractor to develop and implement new policies and procedures to safeguard electronic PHI. OCR obtained assurances that the CE implemented the corrective actions listed above.
Improper digital storage
Location: MD
Entity Type: Healthcare Provider
Individuals Affected: 4831
Date Reported: 07/20/16
Breach Type: Hacking/IT Incident
Location of Data: Other
Breach: The covered entity (CE) reported that in February, 2010, it entered into a medical transcription services agreement with a business associate (BA) located in Bangalore, India that provides dictation and transcription services for the physicians. On May 23, 2016, a patient discovered the office notes from her visit were viewable online. The CE learned that the transcribed files were uploaded onto a public Hypertext Markup Language (HTML) folder that was publicly searchable. The breach affected 4,831 individuals and included clinical information. The CE does not have any evidence that transcription files were actually viewed or acquired by any third parties; however, it acted with caution in response to the breach due to six-year period (between 2010 and 2016) that data was accessible, and the inability to determine if any third parties had viewed the transcription files. To the best of the CE's knowledge, only the two patients who discovered the breach and the individuals involved in the investigation and remediation of the breach on behalf of the CE actually viewed any PHI and did not retain it. OCR reviewed the CE's risk analysis and BA agreements.
Corrective Action: The CE terminated its relationship with the BA. The CE stated that it ensured a detailed risk assessment was conducted to identify any vulnerabilities and a gap analysis work plan was developed and worked through to address such vulnerabilities. Additionally, the CE installed a new server with fully updated security settings and updated its Notice of Privacy Practices. OCR obtained assurances that CE implemented the corrective action listed above.
Looting during a riot
Location: MD
Entity Type: Healthcare Provider
Individuals Affected: 500
Date Reported: 06/09/15
Breach Type: Unauthorized Access/Disclosure
Location of Data: Other, Paper/Films
Breach: On April 27, 2015, rioting broke out in Baltimore, MD and the covered entity (CE) was broken into, vandalized and looted. Multiple prescriptions and stock bottles of narcotics were taken. About 150 prescription bags containing patient names and the medications were stolen. The types of protected health information (PHI) contained on the prescriptions included names, addresses, and prescription information.
Corrective Action: The location was immediately secured. The CE installed a new front door and upgraded the security system. OCR obtained assurances that the CE implemented the corrective actions listed.
Missing hard drives
Location: MA
Entity Type: Healthcare Provider
Individuals Affected: 9,387
Date Reported: 01/08/18
Breach Type: Loss
Location of Data: Other/Portable Electronic Device
Breach: In November 2017 the covered entity (CE), discovered that an unencrypted, portable hard drive used to store monthly backups of bone density studies was missing from the bone density testing workstation, affecting 9,387 individuals. The types of protected health information (PHI) involved included patients' names, dates of birth, patients' identification numbers, and radiology images.
Location of Data: The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE applied appropriate sanctions, retrained its workforce, and conducted an audit of hardware containing electronic PHI, resulting in the replacement of two additional portable devices not in compliance with its policies. OCR reviewed the CE’s policies and procedures and obtained assurances that the CE implemented the corrective actions listed above.
Improper mailing procedures
Location: MA
Entity Type: Healthcare Provider
Individuals Affected: 2,146
Date Reported: 11/28/17
Breach Type: Unauthorized Access/Disclosure
Location of Data: Paper/Films
Breach: Between July 13, 2017 and October 1, 2017, the covered entity (CE) mailed a number of health insurers using clear envelope address windows that displayed 2,146 patients’ protected health information (PHI), due to an employee error. The types of PHI involved in the breach included demographic and health claims information.
Location of Data: The CE provided breach notification to HHS and the affected individuals and provided credit monitoring and placed a 90-day fraud alert on individuals’ credit files. Following the breach, the CE stopped using envelopes with clear windows for processing claims. Additionally, the CE implemented new quality controls for mailings and retrained employees at the facility where this incident. OCR obtained assurances that the CE implemented the corrective action steps noted above.
Social engineering - Impersonation
Location: MA
Entity Type: Health Plan Individuals Affected: 1715 Date Reported: 10/06/17 Breach Type: Hacking/IT Location of Data: Network Server
Breach: An unknown third party used social engineering to obtain the identifying information of eleven employees from sources outside their employment and used that information to impersonate the employees online and over the phone to gain access to a database of the covered entity (CE). The database contained protected health information (PHI) of 1,715 long-term care insurance policyholders and applicants. including names, dates of birth, Social Security numbers, telephone numbers, email addresses, and certain long-term care insurance policy information.
Location of Data: Following the breach, the CE took the database offline, created new identity verification policies and procedures, and retrained staff. The CE provided breach notification to HHS and affected individuals in accordance with the Breach Notification Rule. OCR provided the CE with technical assistance regarding its privacy and security program.
We hope these stories give an idea of the various ways that breaches can happen and has shed some light on some interesting trends in the data. We wondered why paper is still showing up as a common data breach location since electronic medical records have become the standard. We saw that PHI is still sent in the mail quite frequently and occasionally a mistake can cause a breach.
These are only a few cases out of the many that are found in the HHS data, but they give us a better idea of possible ways for a breach to occur.