$100,000 Settlement Reached for 2015 HIPAA Breach


The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced a settlement with Touchstone Medical Imaging (“Touchstone”) for their potential violations of HIPAA Security and Breach Notification Rules. Touchstone has agreed to pay $3,000,000 and adopt a corrective action plan.

Touchstone is a diagnostic medical imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Arkansas.

The Breach

In May 2014, Touchstone was informed by the FBI and OCR that one of its FTP servers was giving uncontrolled, unauthorized access to protected health information (PHI). This uncontrolled access allowed files to be indexed by search engines, meaning an unauthorized individual could access another’s PHI simply by performing an Internet search.

Initially, Touchstone claimed that there was no PHI expose by the uncontrolled server. The story changed during OCR’s investigation, when Touchstone ultimately admitted that the PHI of over 300,000 patients was in fact, exposed. The information involved in the exposure includes names, birth dates, social security numbers, and addresses.

Even after the notice was issued to Touchstone and the server was taken offline, PHI remained visible on the Internet.

The Investigation

OCR found that Touchstone was in violation of multiple HIPAA rules. Following the breach notice issued by the FBI and OCR, Touchstone did not conduct a thorough investigation of the breach for several months. Not only did the delayed investigation of the breach violate HIPAA, but also resulted in delayed breach notifications for the affected individuals as well as a delay in notifying the media – both additional HIPAA violations.

Further investigation revealed that Touchstone had also failed to conduct an accurate and thorough risk analysis of its organization, a critical component in identifying potential risks to the confidentiality, integrity, and availability of electronic PHI (ePHI) – and the violations don’t stop there.

OCR identified two situations where Touchstone failed to have Business Associate Agreements in place with their vendors – including their IT support and a third-party data center, another HIPAA violation.

The Settlement

The settlement of $3 million dollars isn’t the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust corrective action plan must be adopted to address their HIPAA compliance deficiencies, including carrying out business associate agreements, completing an enterprise-wide risk analysis, and adopting HIPAA policies and procedures.

Although the number of HIPAA violations associated with this breach is extensive, all serve as an important reminder of the requirements under HIPAA that cannot be ignored. Performing a risk analysis, having Business Associate Agreements in place for the entire duration of a vendor contract, implementing and enforcing policies and procedures, ensuring technical safeguards are in place, and training employees on HIPAA and security awareness are just a few key pieces of HIPAA compliance that should be addressed and evaluated routinely.

In addition, this case highlights the necessity of taking swift action following a breach. Had Touchstone started their corrective action efforts immediately following their notification from the FBI and OCR, several violations could have been avoided – the violations associated with delayed breach notifications specifically.


Business email compromises (BEC) scams made a big statement in 2018, seeing a 133% increase over 2017, according to a recent report by Beazley Breach Response Services.

The Beazley Breach Briefing looked at information gathered from investigations into more than 3,300 data incidents that were reported to Beazley in 2018.

The investigations revealed that nearly half (47%) of the data incidents investigated were the result of a hack or malware. Diving deeper, the investigations revealed that half of those hacking or malware incidents were BEC scams.

What is a BEC scam?

BEC scams, also known as CEO fraud, have become a favorite for cybercriminals. A BEC scam requires the scammer to do their homework by using social engineering tactics to determine who the CEO or CFO is, and who the victims will be. Despite the effort it takes to make this scam successful, cybercriminals favor it due to the high profits it yields, even if only a few attempts are successful.

Typically, the scammer will target an employee working in the finance department, or one who would not find a request for a money transfer unusual. Then, the cybercriminal sends a fraudulent email to their victim, impersonating the CEO or CFO, requesting a wire transfer. These emails often have a sense of urgency for the transfer and may state that the “CEO or CFO” who is sending the email is in an important business meeting and cannot be bothered.

BEC scams can be tricky to detect. Scammers will often create an email address very similar to the individual they are impersonating. In some cases, scammers may even have control of the CEO’s or CFO’s actual email account, making the scam even more convincing.

The goal of the scam is to trick the victim into performing the requested function (most often a wire-transfer or electronic payment to the criminal’s bank account but could include transferring sensitive data) as quickly as possible without giving it a second thought.

The Beazley Breach Briefing reported that 24% of the incidents that were investigated from 2018 were the result of a BEC scam, up from 13% in 2017. The rise in BEC scams year-over-year is a major cause for concern and should prompt organizations to take proactive measures to protect themselves.

How to prevent a BEC scam

  • Use multi-factor authentication
  • Train employees regularly on cybersecurity
  • Limit employees who can authorize wire transfers
  • If a vendor requests changes to an account, confirm requests by a direct phone call using pre-agreed phone numbers
    • Review requests by getting them approved by a next-level approver prior to making changes
    • If approved, check that the address or bank account match those that were used previously for payments


Earlier this month, the data breach affecting Quest Analysis, LabCorp, and Opko was introduced, stemming from an incident brought on by the collections vendor, American Healthcare Collection Agency (AMCA). Now, the amount of individuals who had their medical and personal data compromised by the incident has surpass 20 million, bringing up major problems of medical identity theft for all those affected.


So what can you do to help prevent medical identification theft?


Request access to your professional medical records. It is your own right under the Health Insurance Portability plus Accountability Act (HIPAA) to gain entry to your medical records. You should get within the habit of reviewing your healthcare records to look for any errors within your chart that could indicate something might be wrong.


In case you detect errors in your medical information, report them immediately. If by chance you do discover an error in your medical records, you need to waste no time in reporting the particular error to your health insurer. The particular fraud department should be able to assist you using the next steps. In addition , report the particular fraud to the Federal Trade Commission rate (FTC) by filing an identification theft report.


Verify the security of your information. You should be aware of how your suppliers are protecting your medical details. Do not hesitate to ask questions about how exactly your data is being protected. If your information are being cared for the way they should be, simply no practice or organization should experience uncomfortable answering that question.


Only give out the particular minimum. Don’t offer unnecessary information to healthcare companies, pharmacies, etc . If the information is just not required, it is best not to share this.


Protect your own medical information. In case you deem it appropriate to share your details with a medical provider or another party, learn why they need that information, the actual plan on doing with that information, plus who they will share it along with. Remember, it’s not a bad thing to provide out the minimum in this circumstance.


Check hyperlinks. Always check that any kind of website you’re accessing is secure; this consists of a patient portal. Secure websites must have “https” at the beginning of the URL.


Use caution when getting rid of your medical records. Never just toss your healthcare records out with the trash. In the event that any of your personal information is contained in writing, shred that information prior to grasp.


While being involved with a data breach is often away from our hands, such as the Quest Analysis, LabCorp, and Opko breach, getting precautions and staying diligent inside monitoring your medical records will help you prevent or stop medical identification theft.


Patient data exposed

Inmediata Health Group, Corp., a provider of clearinghouse services, software, and business processing solutions to health plans, hospitals, IPAs, and independent physicians recently announced a security incident affecting some customer data.

The incident was discovered in January 2019 when Inmediata found a misconfigured webpage was allowing some electronic health information to be viewed publicly. The webpage was allowing search engines to index Inmediata’s internal webpages that were used for business operations and not intended for public view.

What was exposed?

The health information involved in this incident includes patients’ names, dates of birth, genders, and medical claims information, with some affected individuals, potentially having their Social Security numbers exposed.

There is currently no information available on how many individuals were affected and how long the webpage was publicly accessible.

Inmediata’s next steps

Once Inmediata became aware of the incident, the misconfigured webpage was deactivated, and a computer forensics company was engaged to assist with the investigation.

At this time, there is no evidence to suggest the exposed information was subjected to unauthorized access or misuse, however, the possibility could not be ruled out.

Inmediata began notifying affected individuals by mail on April 22, 2019. The notification letters included information about the incident and steps the affected individuals should take to monitor and protect their personal information.

Verify you’re working with HIPAA compliant vendors  

This breach serves as an important reminder that it’s not always the Covered Entity that causes a data breach.

It is critical to ensure you are working with vendors who are taking the appropriate measures to protect your patient data, and that you have a Business Associate Agreement in place with those vendors from the start of your contract with them.

In addition, you should verify your Business Associates (BAs) are ensuring their own HIPAA compliance on an annual basis. One way of doing this is by sending your BAs a compliance check. If you’re working with compliant vendors, they should be happy to respond to your request.

If you find you’re working with a non-compliant vendor, it may be time to rethink your relationship with them. After all, a data breach caused by them has a direct impact on you.

The post Misconfigured Webpage Exposed Patient Data appeared first on HIPAA Secure Now!

Hello, HIPAA

The Health Insurance Portability and Accountability Act, better know as HIPAA, was passed by Congress in 1996 and called for the protection and confidential handling of protected health information (PHI). HIPAA still exists today, aiming to protect patients and their information, but it’s important to think about how far we’ve come in the ways we handle patient data since its enactment.

Look how far we’ve come

Think about this, the first iPhone was introduced in 2007; that’s 11 years after the introduction of HIPAA. This highlights the significant technological advancements our country has seen over the last 20+ years. We’re now living in a digital world. Not only has that made an impact on our personal lives, but also how organizations are able to conduct business. From financial institutions to medical practices, technology has brought new opportunities, and obstacles.

When HIPAA was created, a patient’s PHI was stored in a chart, on paper. There was no worrying about a hacker sneaking into the network and stealing their information. Nobody heard of phishing or ransomware.

Today, 23 years after HIPAA made its debut, it is far more common to see electronic protected health information (ePHI) than it is to see paper records. We have had tremendous advancements in patient care and treatment, which has led to new challenges for the protection and confidential handling of PHI.

Holes in HIPAA

While there have been some tweaks to HIPAA like the Omnibus Rule in 2013, by a large part, HIPAA has not seen much change since its introduction. With the vast changes to how we access and handle patient data, there is no denying the significant holes in the HIPAA rule and the need for a major update.

Compliance is non-negotiable

One thing that has not changed since 1996 – HIPAA compliance is here, and it is not optional.  In fact, it’s arguably more important than ever before to have your HIPAA compliance program in order. With the healthcare industry being favored by cybercriminals, human error accounting for most data breaches, the ease in filing a complaint against an organization, and more, your compliance program could come under review at any given time – and you must be ready.

What triggers an audit?

The Office for Civil Rights (OCR), is the department responsible for enforcing HIPAA. It seems there is a common misconception that audits by the OCR happen at random when the department decides to “pop in” on organizations to check on their compliance state. The reality is, the OCR is not staffed to audit organizations without just cause, meaning when an audit occurs, something triggered it.

Common audit triggers

  • Patient complaints – Patients could file complaints for any number of reasons. Maybe a patient was denied access to their records, or perhaps they saw a picture on social media with their medical chart in the background.
  • Employee complaints – Often times, disgruntled employees may file a complaint following termination of employment, but that’s not always the case. If an employee feels there has been wrongdoing, they could certainly file a complaint.
  • Employee mistakes – Employee mistakes or human error account for many audits. An employee falling for a phishing email, using weak passwords, and sending a patient the incorrect records are all examples of human errors.
  • Insider wrongdoing – Sometimes employees violate company policies maliciously, and other times they may just be curious. Employees could steal patient records for personal gain or could peek at a patient’s records because they’re curious about their visit.
  • Third-party mistakes – Mistakes caused by a Business Associate (BA) could also lead to an investigation of your organization. If your (BA) suffers a data breach, you may be audited as well.
  • Security incident – Common security incidents include lost or stolen devices, especially those devices that are unencrypted, as well as unpatched software that led to malware or ransomware exploits.

Many times, whatever triggered the audit, to begin with, is not the biggest problem or finding by the OCR. This is why having your HIPAA compliance program in order and continuously working towards your compliance is critical.

Bring on the questions

When a Covered Entity or Business Associate suffers a security incident, it needs to be reported, and once that happens, questions may start arising. Why didn’t you have a password on your Wi-Fi? Why was your server unlocked and underneath your reception desk? Aren’t your employees trained on how to spot a phishing email? Didn’t you have a policy in place for what’s permitted use of a workstation? Why didn’t you have a Business Associate Agreement with your transcription service?

These are just a few questions that could be posed by an auditor – but that’s just the beginning of what they will ask of you.

What will OCR look for in an audit?

What OCR may be looking for in an audit situation will vary, dependent on what triggered the audit in the first place. Below are some common items that your organization could expect to show an auditor in the event of an audit, all of which, are key components of a HIPAA compliance program.

  • Security Risk Assessment – An absolutely critical part of your compliance program. The Security Risk Assessment (also referred to as the SRA, or Security Risk Analysis) will look for gaps in your organization’s administrative, physical and technical safeguards that could pose a risk for protected health information (PHI). You must have documented proof of your SRA.
  • Remediation/Risk Management Plan – Once you’ve conducted your SRA, you’ll need to have a process in place to begin addressing your deficiencies, often referred to as a Risk Management Plan. This plan should cover how you plan to remediate all the security gaps discovered in your SRA.
  • Policies & Procedures – Not only does your organization need to have policies and procedures in place, but you also must ensure that employees understand those policies and have signed off on them. Employees can’t be expected to follow the rules if they are unaware of them, and the documented proof that they acknowledged the policies is vital in the event of a security incident.
  • Security Officer – Every organization needs to have an appointed Security Officer. This individual is responsible for ensuring policies and procedures are created, understood by all employees of the organization, and acknowledged by them with documented proof. The Security Officer should also ensure employees are trained on HIPAA routinely.
  • Routine HIPAA Training – Not only is HIPAA training a requirement, but it is also necessary to reduce the chances of an employee-error. HIPAA and cybersecurity awareness training should be conducted routinely so employees are kept updated on the latest threats, and to keep security best practices top of mind.
  • Business Associate Agreements – You must have a Business Associate Agreement (BAA) with any and all vendors that handle your patient data. A data breach caused by a Business Associate will also affect your organization, so make sure you are working with vendors who take HIPAA compliance seriously.

Proof of network vulnerability scans, penetration tests, and breach notification (in the event of a breach) are also common requests by the OCR.

The bottom line

It’s safe to say that in this digital age, HIPAA could use a refresh, but despite its flaws, your adherence to it is not up for discussion. An audit could be triggered by anyone, at any time. If you had a complaint filed against you tomorrow, would you be confident in your compliance state? If you can’t answer yes, it’s best to get to work – before it’s too late.


In 2018, 71% of ransomware attacks targeted small businesses, according to a report by Beazley Breach Response Services. It’s clear that small businesses are a cybercriminals favorite target, yet many remain unprepared to handle a cyber-attack.

Is it that small businesses don’t care about cybersecurity?

It wouldn’t be fair to make that assumption; however, small businesses do often overlook cybersecurity concerns. This could be the result of many different things. For example, small businesses often do not have the resources to dedicate to cybersecurity. In fact, some of those businesses don’t have a dedicated IT individual/company at all. In some instances, small businesses may be carrying the “it won’t happen to me mentality” – despite plenty of statistics stating that small businesses are the most susceptible to a cyber-attack. And then there is the complexity of the topic. Many organizations don’t understand cybersecurity. Mix the lack of understanding with the other reasons that cybersecurity is often overlooked, it’s easy for small businesses to put it on the back burner and forget about it.

Out of sight, out of mind

Another reason it’s hard to get organizations to care about cybersecurity is that “if they can’t see it, it isn’t there”. It’s easy to take physical security of your organization seriously. You know that you must lock the office door when you leave, or that leaving medication unlocked and unsupervised could lead to its disappearance.

Unfortunately, cybersecurity doesn’t work the same way. Organizations can be told about cybersecurity risks and best practices, but not being able to physically see the danger makes it difficult to care or prioritize those safeguards above others. Think about it, you’ve used the same password for everything, for years. It’s not a difficult password so it’s easy for you to remember. You’ve heard that complex passwords are important, and you know you should never use the same password across multiple accounts, but you’ve been doing this for years and nothing bad has happened, so it’s probably not a concern for you. Cybersecurity is often out of sight, out of mind.

Healthcare organizations are especially vulnerable

The healthcare industry is the most targeted industry by cybercriminals. Many of the reasons for this are the same reasons that attackers target small businesses. Healthcare organizations also see a lot of turnover, which could translate to cybercriminals as new employees to target, many of which, may not be properly trained.

The value of healthcare data to a cybercriminal is also unparalleled. Medical records bring in big bucks on the dark web, allowing these attackers to see large returns for even just one successful attack.

Don’t wait till it’s too late

The worst mistake you can make is to think you’re not at risk, or not think cybersecurity is a high enough priority to do something about it. Small businesses need to take what we’ve learned about cybercriminals targeting them as a warning and act before they too become another statistic.

Cybersecurity tips

1. Recognize You’re a Target – First and foremost, you must accept that you are a target for cybercriminals. Every organization, small or large is a target and no industry is off limits. If cybercriminals see value in attacking your organization, they will.

2. Security Risk Assessment – It’s important to understand where your organization’s security gaps are. Perform a Risk Assessment to determine what safeguards should be in place but are not. For example, policies, data backup procedures, inactivity timers on your computers, etc.

3. Security Awareness Training – Employees must be trained on cybersecurity and understand how to spot malicious attempts made by cybercriminals. Employees should know how to spot a phishing email and the dangers of clicking attachments or URLs within emails, as these are common methods for a hacker to get in.

4. Complex Passwords – Passwords must be complex, reasonably long (at least 10 characters), and different across all accounts. Simple passwords can easily be cracked by cybercriminals through a brute-force attack, putting your entire organization at risk. Using repeat passwords across various accounts is also dangerous since one compromised password could give a hacker access to all your accounts.

5. Use a Password Manager – Managing several difficult passwords can be a difficult task, but password security should not be compromised for convenience. Using a password manager is a great way to ensure all passwords are secure. The best part is, you only need to remember one master password.

6. Enable Two-Factor Authentication – Sometimes referred to as 2FA, or multi-factor authentication, two-factor authentication is another layer of security for accessing your accounts, aside from you entering your credentials. 2FA requires a second form of authentication for you to successfully log in. For example, you may have to enter a 6-digit code sent to you via a text message to prove it is really you who is trying to log in.

7. Perform Updates – Ensure your software is being updated when updates become available. Software updates are often issued to fix a vulnerability found in the software. Not performing updates can often leave you susceptible to attacks that could have been prevented.

8. Regularly Backup Your Data – Do not underestimate the importance of routinely backing up your data. A cyber-attack could occur at any minute, and when it does, your data could be at risk. If your data becomes inaccessible or corrupt, through a ransomware attack, for example, you’ll need to be able to get that data another way – from your backups.

9. Audit accounts for suspicious activity – Make sure you’re performing audits on your systems. For example, if you have an EHR, you should be auditing it regularly looking for unusual activity, such as logins after hours, users accessing abnormal amounts of medical records. If inappropriate activity is occurring, the quicker you catch it the better off you’ll be.

10. Cyber Insurance – As cybercriminals continue to become more sophisticated, attacks will continue to occur. It’s no longer a matter of if your organization will be attacked, but when. Security incidents are incredibly costly, sometimes putting organizations out of business. Costs could include a breach coach, forensics, breach notification, credit monitoring, crisis management, and more. Verify that your organization has cyber insurance (this coverage is often not included in your standard policy) to protect you in the event of a security incident.


We previously wrote an article about the ransomware attack striking a Michigan doctor’s office, leaving their patients with no medical records and leading the practice to closure. This article is intended to provide professional insight into the liability of the practice despite its decision to close its doors.

The following blog was written by Matthew Fisher, Chair of Health Law Group and a Partner at the law firm of Mirick O’Connell where Matt focuses on guiding practices and companies through the labyrinth of healthcare regulations.

A two physician practice in Michigan recently drew significant attention for deciding to unexpectedly close after losing all of its patient and billing records.  In brief, the practice suffered a ransomware attack that blocked access to all files.  The attackers demanded a ransom of $6,500 to restore access.  The physicians refused to pay the ransom (a response that in isolation is not a bad one).  The publicly stated reason for not paying is that the physicians could not receive a guarantee that the attackers would actually restore access.  When the ransom was not paid the attackers deleted all of the files.

The expected next step would be for the practice to pull out one of hopefully many backups, restore all files up to the point of the backup, and then continue on its way.  Since this particular practice made the headlines, that usual course outcome did not happen.  In this particular instance, the physician practice did not have a backup (or at least none that has been reported) and declared that all of its files were lost.  As a result of not having any files and not wanting to take the time to restore the practice, the physicians provided roughly thirty days notice of the practice shutting down entirely.

Will closure of the practice be the end of the story?  Unfortunately, the physicians likely may only hope that closure ends the entire story.  In all likelihood, this practice could help set precedent for future claims in the event of a catastrophic outcome from a ransomware attack.

Finding one silver lining may be a good way to approach the assessment of potential liability.  Instead of shutting down immediately, as noted above, the practice provided slightly over thirty days advance notice of the closure.  Giving patients thirty days to find a new physician is consistent with the suggested course of action contained in model ethical guidelines.  The ethical guidelines look to provide a patient with sufficient or reasonable time to transition and that the physician terminating the relationship continue to provide care during the transition period.  The thirty days here may be enough for that to happen.

Now for the potential liabilities.  If all records have been lost, then the practice will clearly not be able to respond to any patient’s request for access under HIPAA.  Failure to respond to a request for access is one of, if not the, most common types of non-compliance with HIPAA.  When access is denied, many individuals will submit a complaint to the Office for Civil Rights.  In this case, the entire patient population of the practice could theoretically submit such a complaint.  Given the total breakdown, could the loss of all records be the spur for OCR to issue the first fine for a denial of access?  It is possible, especially since OCR has used settlements in the past to provide lessons about key issues of HIPAA compliance.  For example, OCR could point not only to the need to fully respond to a request for access, but fault the practice for not having a disaster recovery and backup plan, and very likely for not having done a risk analysis.

A second area of potential is malpractice related claims.  A patient could assert an adverse outcome from a procedure or service and the physicians would be without records to defend against the claim.  Malpractice claims can rely heavily upon pouring through medical records to piece together exactly how care was provided and to assess the quality of care provided by the physician(s) who are the subject of the claim.  If no records exist, then how can services be assessed?  Unless some supporting records could be found from another facility, it could leave the physicians severely handicapped in their ability to produce any sort of defense.

A third potential liability could arise from claims brought by patients in repeat care is not covered by insurance and/or a patient is forced to pay out of pocket due to being in a deductible range.  Since all of the records are gone, tests will very likely need to be repeated to obtain relevant and needed information.  While the practice may not have the records, each patient’s health insurance company will certainly have a record of a claim being submitted for the service and in all probability the claim being paid.  While the health insurance company may be made aware of the record loss, a natural response from insurance would be that it will not cover the service again because it will then be forced to pay for the failure of the physician practice.  Alternatively, even if insurance is willing to cover the service again, a patient could have a high deductible health plan or other form of coverage where that patient will need to pay out of pocket for the service.  In either scenario, whoever pays for the service could look to the physicians who lost the records and seek to make them pay for the unnecessary repetitive services.  The argument would flow that the loss of records was the direct cause of the repeat service being needed and that any financial harm should fall on the causative actor.

While those are only three potential liabilities, each possibility could easily occur.  A natural response could be for the physicians to seek liability insurance carriers for the practice to cover any damages.  Without being able to get into the exact specifics of the case, the insurance carriers could seek to deny coverage.  If the practice was negligent in protecting its records, was not fully accurate in filling out an insurance application, or took other steps not called for by the insurance policy, then coverage could be denied.  As such, the physicians could easily be fully on the hook for any resulting damages.

While no data breach is good, when extreme outlier cases arise the outcomes become even worse.  While it is too late for the particular practice in Michigan to change the outcome, the total loss of data should be a wake up call to other practices and organizations that good, comprehensive security is essential.


Quest Diagnostics, one of the country’s largest blood testing providers announced on Monday that nearly 12 million patients may have had their sensitive information compromised in a data breach.

The breach occurred at one of Quest’s billing collections vendors, American Medical Collection Agency (AMCA). Quest was notified on May 14, that between August 1, 2018, and March 30, 2019, an unauthorized individual had access to AMCA’s systems.

The information stored on AMCA’s systems which may have been compromised includes financial information, medical information, and other personal information (such as Social Security Numbers). Lab test results were not accessible by AMCA, therefore were not compromised in the breach.

Complete information regarding the breach has not yet been provided to Quest.

“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA,” the company stated.


Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.

The Breach Discovery

The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched.  The investigation found that the compromised email addresses were first accessed in January 2019.

Potentially Accessed Information

The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.

Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.

In their notice, Metrocare writes:

We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.

Not Their First Offense

What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.

Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.

Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.

The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.



Medical Informatics Engineering, Inc. (MIE), a software and electronic medical records service provider has paid the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services $100,000 to settle a HIPAA breach from 2015.

The Indiana-based company reported the data breach to OCR on July 23, 2015, following the discovery that the electronic protected health information (ePHI) of roughly 3.5 million people had been inappropriately accessed. The unauthorized access occurred when hackers used a compromised user ID and password to gain entry into the records.

A subsequent investigation was launched by OCR and revealed that MIE did not conduct a thorough risk analysis before the breach occurred, which is a requirement under the HIPAA rule.

“Entities entrusted with medical records must be on guard against hackers,” said Roger Severino, director of the Office for Civil Rights at the US Department of Health and Human Services (HHS), in a statement.

“The failure to identify potential risks and vulnerabilities to ePHI (electronic protected health information) opens the door to breaches and violates HIPAA.”

MIE has agreed to a corrective action plan in addition to the $100,000 settlement. The corrective action plan will include the completion of an enterprise-wide risk analysis.

Things to Note

  • Although this breach exposed the ePHI of roughly 3.5 million people, the fine imposed by OCR was at the lower end of fines that could have been expected as a result of this incident.
  • This settlement came more than three years after the incident.
  • We are again reminded that a risk analysis is not optional but required under the HIPAA Rules.

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282