Database of Addiction Service Provider Potentially Exposed 145,000 Patient Records

The highly sensitive information of patients who were treated at addiction rehabilitation centers were found publicly accessible on the internet because a database was left unsecured. The database contained about 4.91 million records associated with about 145,000 Steps to Recovery patients. Steps to Recovery is an addiction rehabilitation provider established in Levittown, PA.

On March 24, 2019, Justin Paine, Cloudflare’s Director of Trust and Safety, identified the unsecured database. He advised Steps to Recovery and its hosting company right away concerning the breach. Thoug Steps to Recovery did not reply, the hosting company sent a reply and made the database secure. It is now not open to the public online.

Through the Shodan search engine, Paine was able to search for unsecured databases and devices. Paine stated that the ElasticSearch database is made of two indexes containing more than 1.45 GB of data. Anybody could get to the information online without requiring any authentication. The database was accessible to the public for more than two years, from 2016 to 2018.

The database included information such as patients’ names, details of their treatments and services received at Steps to Recovery, dates of services obtained, places where patients had been to, and billing particulars.

Paine is also able to get more information related to the patients by searching on Google using the data obtained from the database. For some patients, Paine ended up finding information such as birth dates, ages, email addresses, and contact telephone numbers.

Steps to Recovery did not announce the number of patients the breach impacted. The breach incident is not yet posted on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is also not known if the unsecured database online was accessed by other people.

Three Email Hacking Incidents Potentially Exposed 8,600 Patients’ PHI

Three healthcare organizations reported potential breaches of patients’ protected health information (PHI) because of unauthorized persons gaining access to their employees’ email accounts. For the three incidents, 8,635 patients were affected.

The first incident involved Center for Sight and Hearing based in Rockford, IL. An unauthorized person accessing an employee’s email account was discovered on January 23, 2019. The breach of account containing 5,319 patients’ PHI happened on January 18.

A third-party computer forensics firm investigating the incident affirmed on February 21, 2019 the inclusion of information such as names, addresses, and patient schedule details in the compromised email account. To enhance security, Center for Sight and Hearing employed multi-factor authentication and a new password management system.

The second incident involved Harbor Behavioral Health, which is a group of counselling and mental health treatment centers in Northwest Ohio. On February 13, 2019, Harbor Behavioral Health discovered that an unauthorized person accessed an employee’s email account.

A third-party computer forensics company found out that the hacker accessed the account for three months from December 2018 to February 2019 and another email account was compromised.

Unauthorized access to the two compromised accounts was promptly terminated. The accounts were secured and analyzed. It was found out that names, birth dates, health insurance information, and information associated to Harbor’s services were contained in the account. Some patients’ Social Security numbers and driver’s license numbers were likewise exposed. The breach affected the PHI of 2,290 patients.

Harbor Behavioral Health offered free credit monitoring and identity theft protection services to the patients who had their Social Security number or driver’s license number exposed. In addition, Harbor implemented controls to stop unauthorized access using external IP addresses, improved log reviews and the regularity of automated notifications, and toughened its security processes. Employees had additional training to help them identify and prevent phishing emails.

The third incident was an unauthorized access of a Dakota County employee’s email account by a hacker potentially affecting 1,026 individuals. The county discovered the breach on February 13, 2019 and secured the account immediately.

For safety, all employee email accounts were subjected to a forced password reset to make sure no other accounts will be accessed, though the investigation affirmed that just one account was exposed. Third-party cybersecurity experts conducted an investigation and confirmed the access of the account. It was undetermined if any emails were viewed or copied.

The compromised account contained Dakota County Social Services information such as names, addresses, driver’s license numbers, Social Security numbers, medical insurance details, medical histories, diagnoses, and treatment data.

Affected individuals received free identity protection services and received breach notification letters on April 12, 2019. Dakota County likewise improved its email security defenses to stop other attacks.

Legislature Unanimously Passed the New Washington Breach Notification Law

The Washington legislature unanimously passed a new data breach notification law (HB 1071 / SB 5064) and the bill simply awaits the signature of Washington Governor Jay Inslee. The law expands the personal information definition and sets 30 days for issuing breach notifications.

At present, the Washington data breach notification laws call for the issuance of notifications only in cases where there is a breach of a state resident’s name together with a state ID, Social Security number, credit/debit card number or driver’s license number.

Under the new breach notification law, notifications will also be required if there’s a breach of these data elements:

  • Complete date of birth
  • Military ID numbers
  • Biometric information
  • Student ID numbers
  • Passport ID numbers
  • Health insurance ID numbers
  • Medical histories
  • Usernames and email addresses along with a password or security question answers that will allow the access of an account
  • Keys for electronic signatures

Except online account credentials, the above data elements may be classified as personal information even though they’re not coupled with an person’s first and last name.

Notifications must be issued in case of a compromise of one or more of the listed data elements, which were not encrypted, and if the breached information could likely put a person at risk of hurt.

The time period for the issuance of notifications was changed from 45 to 30 days after discovering a breach. Nevertheless, notifications must still be given in the fastest time possible and with no unreasonable delay. The state Attorney General should also be notified within the same time period.

Just as is the case in California, the new data breach notification law states the data that need to be put in breach notification letters. The letters should point out the date when the breach happened, the discovery date, its time frame (if identified), and the compromised or exposed types of data. The Attorney General notification should likewise include how many state residents were affected (or an approximation if the actual number is unknown) and the actions that were taken to manage the breach.

Healthcare organizations under the Health Insurance Portability and Accountability Act (HIPAA) will be considered compliant with the new breach notification law when they are already comply with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Phishing Attack on EmCare Resulted to the Exposure of 60,000 Records

The physician staffing firm EmCare based in Dallas, Texas announced a data breach that affected about 60,000 people. Of the 60,000, 31,000 were patients.

The compromised data was specified in messages and attachments in the email accounts of employees that an unauthorized person accessed after a number of employees replied to phishing emails and shared their email credentials. Emcare’s breach notice did not clearly state when the breach took place and the amount of time the attackers accessed the email accounts.

EmCare discovered the breach on February 19, 2019 and started an investigation. The third-party computer forensics firm found out that there were data of patients, employees, and contractors in the compromised email accounts, including names, birth date, demographic data, clinical data, driver’s license numbers and Social Security numbers, which the attackers potentially accessed or copied.

The investigators did not find any proof that suggest that attackers accessed or exfiltrated patient or employee data, but the risk cannot be ruled out. To date, there is no report received that indicate the misuse of patient or employee data.

Emcare is providing complimentary one year of credit monitoring and identity theft protection services to those who had their Social Security numbers or driver’s license numbers potentially compromised.

Emcare sent notifications letters to affected persons on April 19, 2019, that is 59 days after discovering the breach. The issuance of breach notification was just one day before the deadline of the HIPAA Breach Notification Rule reporting.

In response to the breach, EmCare implemented a variety of “advanced IT solutions” and provided additional training to employees about email security.

Malware Attack on Oregon Endodontic Group and Humana Web Portal Breach Resulted to PHI Exposure

An office computer that Oregon Endodontic Group used was attacked by malware and possibly the attackers stole email data. The group spotted suspicious activity happening in email accounts on November 13, 2018 and started an investigation.

A third -party forensic firm assisted with the investigation to identify the data breach’s nature and magnitude. The investigators claimed that the malware variant that infected the office computer was Emotet. It is a banking Trojan that could exfiltrate information from email accounts. The investigators did not get any evidence that suggest the attackers stole email data, but data theft could have been possible.

The investigators looked into the compromised email account to figure out the type of protected health information (PHI) were exposed. The investigation was concluded on February 11, 2019.

The email account comprised limited types of data, which include names combined with one or more data elements, such as birth date, diagnosis information, treatment information, and health insurance data. The following information were also exposed: Social Security numbers of 41 individuals, the driver’s license numbers of two individuals and financial data of seven individuals.

Oregon Endodontic Group engaged an IT security firm to evaluate security controls and carry out additional controls to reinforce its email system security.

Humana reported another data breach that affected residents in Texas. Unauthorized individuals signed up on a website used by Availity, a Humana authorized service provider. The website is used for checking the eligibility and perks of a number of health plan members. The unauthorized individuals tried to obtain plan members’ eligibility and benefit verification details.

The scammers posed as physician provider groups and probably obtained a limited amount of plan members’ data since January 15, 2016 until February 14, 2019. The names, benefit information, Humana ID numbers, healthcare reminders and members’ plan effective dates were accessed. As a security measure, Humana offered credit monitoring and identity theft protection services to impacted members and cautioned them to keep track of their explanation of benefits statements for indications of fraudulent transactions. Thus far, no report was acquired with regards to PHI misuse.

Humana mentioned in its breach notification letters the fact that Availity has got policies and procedures for the safety of customer information, however, there were further measures implemented since the occurrence of the breach. There were 522 Texas residents who were members of Humana plans that were impacted by the breach.

12,000 Baystate Health Patients Affected By Phishing Attack

Baystate Health in Massachusetts had a phishing attack, which led to the exposure of the protected health information (PHI) of roughly 12,000 patients.

Baystate Health discovered the phishing attack that occurred from February 7 to March 7, 2019. Every instance that the email account of several employees were compromised, the accounts were immediately secured. A computer forensics firm helped in the investigation of the breach. Analysis of the email messages and attachments contained in the email accounts were undertaken to know if the accounts contained PHI and if the attackers accessed the information.

The investigation affirmed that email accounts contained patient data such as names, birth dates, medications, diagnoses and treatment information. The email messages and attachments also included the health insurance information, Social Security numbers and Medicare numbers of a number of patients.

Baystate Health sent by mail breach notification letters to patients affected by the breach on April 5. Patients who had compromised Social Security number received free one year credit monitoring and identity theft protection services for extra security. There was no proof indicating the attackers viewed, copied or misused patient information.

All affected patients were advised to keep a close watch over the explanation of benefits statements from their insurance companies and statements from medical providers in case there are medical services billed to their account that they have not received.

Baystate Health reset all passwords of the compromised email accounts to block further access and enforced extra security measures to stop the unauthorized persons from accessing the email accounts.

Improvements in email logging and log monitoring were made to detect breaches more rapidly. Employees had additional training on security awareness to help them distinguish phishing emails.

Breaches at Clearway Pain Solutions Institute and Questcare Medical Services Affect Patients’ PHI

Gulf Coast Pain Consultants, also known as Clearway Pain Solutions Institute, discovered that an unauthorized person accessed its EMR system.

An investigation of the breach began on February 20, 2019. It revealed that the unauthorized person accessed a variety of patient data, which included names, phone numbers, home addresses, email addresses, birth dates, Social Security numbers, health insurance details, name of referring provider, and demographic data. Clinical data contained in medical documents were not accessible and financial information was not exposed.

Clearway Pain Solutions Institute already blocked unauthorized access to the system and conducted a complete review of all EMR accounts. All user accounts’ access levels and EMR system activities were validated. After reviewing policies and procedures, the institute will also update the access of patient information as appropriate.

Clearway Pain Solutions Institute sent notifications to all affected patients and offered them free membership to Experian IdentityWorks for one year. The incident is not yet listed on the HHS’ Office for Civil Rights breach portal and so there is no clear information yet regarding the exact number of patients affected.

A phishing attack on the physician group, Questcare Medical Services in Dallas, TX resulted to the compromise of an employee’s email account on February 13, 2019. The investigators found protected health information (PHI) in the compromised account. Affected patients received breach notifications on April 12, 2019.

The people affected by the breach acquired medical services from different Questcare centers — in Dallas, Fort Worth, or Arlington, Texas. The attacker potentially accessed patient information such as, names, birth dates and some clinical data. There was no sensitive financial data or Social Security numbers exposed.

Questcare employees received further training to improve security consciousness and will also get regular reminders concerning phishing. The group installed Microsoft’s Advanced Threat Protection to enhanced its defenses against phishing attacks. There’s no report about the number of persons impacted by the breach yet.

Second Phishing Attack on Metrocare Services Happened After Two Months

A phishing attack on Metrocare Services in North Texas, a mental health service provider, resulted to the access of several employees’ email accounts by an unauthorized person.

Metrocare Services detected the breach on February 6, 2019 and immediately blocked access to the affected email accounts. But the investigators stated that the hackers first accessed the accounts in January 2019.

A review of the affected email accounts confirmed that the protected health information (PHI) of 5,290 patients were potentially compromised. The affected patients were informed about the potential access of their PHI because of the phishing attack on April 5, 2019. The following patients’ PHI were included: names, birth dates, driver’s license data, health insurance details, health information associated to the services given by Metrocare, and the Social Security numbers for some patients.

The breach investigators did not find any evidence that indicate the access or copying of emails containing ePHI. However, it is not possible to completely rule out ePHI access and theft. Metrocare Services offered the persons whose Social Security number were exposed free identity theft protection and credit monitoring services for one year.

As a response to the breach, Metrocare Services is going to employ extra security measures, such as multifactor authentication, to strengthen its email system security and to stop access to the accounts when credentials are compromised in cyberattacks.

This is the second phishing attack on Metrocare Services. In November 2018, a similar phishing attack on the entity caused the compromise of 1,800 patients’s PHI. After that phishing attack, Metrocare Services talked about strengthening its email system security and providing its employees additional training on identifying potential phishing attacks.

Clearly, the security measures were not enough to stop other attacks. If multifactor authentication was implemented after the first phishing attack, the second attack could have been stopped.

20,485 Patients Impacted by Health Recovery Services Potential PHI Breach

Health Recovery Services in Athens, OH, which provides alcohol and drug addiction services, notified 20,485 patients about the potential access of an unauthorized person to some of their protected health information (PHI).

An unauthorized IP address that got remote access to Health Recovery Services’ computer network was discovered on February 5, 2019. To stop further unauthorized access, they took the network and data systems offline and retained a forensic expert to investigate and find out the nature and extent of the breach.

According to the investigation findings given on March 15, 2019, the IP address accessed the network starting on November 14, 2018 until February 5, 2019. There was no evidence found which indicate the access or copying of any patient information. But it’s still possible that data was accessed or stolen.

Patients who had their protected health information (PHI) compromised received notifications by mail. The following types of patient data were found on the compromised server: names, addresses, phone numbers, and birth dates. The medical data, health insurance details, diagnoses, treatment details, and Social Security numbers of Health Recovery Services patients who received treatment after 2014 were also exposed.

Health Recovery Services made sure its entire network is totally secure and free from security risks. The entity also re-evaluated its policies, procedures, and cybersecurity controls and will improve them to stop other data breaches. Health Recovery Services will also take some action on limiting the damage that can be suffered if a network server breach happens again in the future.

Healthcare Data Breach Report for March 2019

March 2019 had a rate of about one reported healthcare data breach per day. The HHS’ Office for Civil Rights received 30 healthcare data breach reports from HIPAA-covered entities and their business associates. The total of healthcare data breaches is 11% higher in March than the average over the last 60 months.

Month over month, the number of reported breaches dropped by 6.67% and breached healthcare records was 58% lower. The healthcare records of 883,759 people were exposed, stolen or impermissibly disclosed in March because of healthcare data breaches.

Causes of Healthcare Data Breaches in March 2019


The top cause of healthcare data breaches in March were hacking and other IT incidents for instance ransomware and malware. There were 19 hacking / IT incidents reported in March accounting for 83.69% of 739,635 exposed records; 8 unauthorized access/impermissible disclosure incidents with 81,904 healthcare records accessed or impermissibly disclosed; and 4 theft incidents with 23,960 records compromised.

Biggest Healthcare Data Breaches Reported in March 2019

Navicent Health reported the biggest data breach, which involved a phishing attack that resulted to the potential access and copying of 278,016 patient records by the attackers. ZOLL Services reported a data breach of about the same size with 277,319 healthcare records exposed. The breach at ZOLL Services’ business associate, an email archiving company, was due to the accidental removal of its network server’s protection. It is unknown if unauthorized persons accessed the records when the data was accessible.

Location of Breached PHI

March 2019 saw 12 healthcare data breaches involving email incidents, mostly due to phishing attacks. There were 7 hacking/IT incidents, such as hacks, ransomware attacks, and the accidental security solutions deactivation involving network servers.

Healthcare Data Breaches by Covered Entity in March 2019

In March, healthcare providers reported 21 incidents; health plans reported 4 incidents while HIPAA business associates reported 5 data breaches; three breaches additionally involved business associate agreements.

Healthcare Data Breaches by State

There were 18 states that reported data breaches to healthcare organizations/business associates in March 2019. California, Ohio, and Pennsylvania reported three data breaches each. Arizona, Idaho, Masachusetts, Maryland, Minnesota, Oregon, and South Carolina reported two breaches each. Arizona, Connecticut, Georgia, Florida, Indiana, Mississippi, Oklahoma and New York reported one breach each.

HIPAA Enforcement Activities in March 2019

The HHS’ Office for Civil Rights has not issued any fines or settlements in March 2019; but, the Texas Department of Aging and Disability Services has issued a financial penalty over a data breach that transpired in 2015.

Texas approved a settlement of $1.6 million to cover alleged HIPAA violations found while investigating an 8-year data breach reported in June 2015. The settlement is not yet confirmed publicly.

State attorneys general also did not agree with the HIPAA-related financial penalties.