HospitalInspections.org

Based on review of clinical records, a hospital investigation of a security breach related to a phishing attack on the hospital email system, review of hospital policies and procedures, and interviews regarding four hospital employees whose emails were auto forwarded to an unauthorized email account, RN #1, MD #4, MD #5, and MD #6, the hospital failed to ensure that the email system was designed and operated with safeguards that ensured that only authorized disclosures were made resulting in unauthorized disclosure of elements of 946 Patients' Protected Health Information (PHI). The findings include:

Review of a hospital documented timeline, investigation and interviews with the the Compliance/Privacy Officer, Vice President (VP) of Information Technology (IT), and IT Director on 12/30/15, 12/31/15, 01/04/16, and 01/05/16 identified that a phishing attack consisting of what looked like a legitimate hospital to employee email communication was received by 88 staff members on 05/27/15 at 5:40 PM. The email directed the user to click on a link, login, and update account activity and that failure to comply with the directive might result in deactivating the email account, interruption of service, or undue errors. The IT department identified the phishing attack late on the night of 05/27/15 and blocked further access to the site by installation of new firewalls. On 05/28/15 at 8:58 AM, the IT director notified all email users of the phishing attack and directed to notify the IT Support Center if the user had clicked on the link. The email provider was updated regarding the attack. The IT Support Center received no calls from email users and no installation of malicious software was detected.

Interviews with the IT Director, Information Security Manager, and Vice President of IT on 12/31/15 at 10:00 AM identified that because the IT Support Center received no calls from email users and no installation of malicious software was detected there was nothing further that could have been done to evaluate the security breach and/or potential release of Protected Health Information (PHI).


While trialing an enhanced security software program between 10/04/15 and 10/06/15, a vendor identified that on 05/27/15, four employees, RN #1, MDs #4,#5, and #6, had logged their names and passwords into the suspicious email. All of the employees emails were auto-forwarded to an unauthorized account which represented an ongoing phishing attack. Additionally, MD #6 had forwarded his/her hospital emails, including attachments to his/her spouse's personal email account. Auto-forwarding was immediately disabled for these employees. The hospital conducted an investigation that included review of all emails sent or received by RN #1, and MDs #4, #5, and #6 for the time period of 05/27/15 through 10/09/15. MD #5's emails contained no PHI, however RN #1, and MD's #4 and #6 contained some combination of full name, last name only, medical record number, date of birth, address, date of service, account number, medications, and diagnoses and involved 946 patients. The email provider determined that all the emails were accessed by the unauthorized user.

A review of examples of released materials included, in part, a scanned copy of a uterine ultrasound that included the patient's full name, date of service and pictures of the fetus and fetal measurements; multiple Cancer Conference Summaries that included the patients' full names, dates of birth, medical record numbers, reason for consult, past history, social history, family history, radiology findings, tumor markers, surgery, and pathology; and infectious disease lists that included patients' last names, medical record numbers, diagnoses, antibiotics administered, and organisms identified.

Interview with the President and Chief Executive Officer (CEO) on 01/05/16 at 1:00 PM identified that there was no detectable failures in the system and no way of predicting this new type of attack although interview with the Information Technology (IT) Director on 01/05/16 at 1:10 PM identified that by adding enhanced security software, the hospital now has the ability to monitor who clicked on links contained in emails as well as who is utilizing the auto-forwarding feature.

Based on review of quality minutes, a hospital investigation of a security breach related to a phishing attack on the hospital email system, review of hospital policies and procedures, and interviews regarding four hospital employees whose emails were auto forwarded to an unauthorized email account, the hospital quality improvement/patient safety (QIPS) program failed to analyze and track performance of the Information Technilogy (IT) department and/or the process of maintaining confidentiality of protected patient health information. The findings include:

Review of a hospital documented timeline, investigation and interviews with the the Compliance/Privacy Officer, Vice President (VP) of Information Technology (IT), and IT Director on 12/30/15, 12/31/15, 01/04/16, and 01/05/16 identified that a phishing attack consisting of what looked like a legitimate hospital to employee email communication was received by 88 staff members on 05/27/15 at 5:40 PM. The email directed the user to click on a link, login, and update account activity and that failure to comply with the directive might result in deactivating the email account, interruption of service, or undue errors. The IT department identified the phishing attack late on the night of 05/27/15 and blocked further access to the site by installation of new firewalls. On 05/28/15 at 8:58 AM, the IT director notified all email users of the phishing attack and directed to notify the IT Support Center if the user had clicked on the link. The email provider was updated regarding the attack. The IT Support Center received no calls from email users and no installation of malicious software was detected.

A review of examples of released materials included, in part, a scanned copy of a uterine ultrasound that included the patient's full name, date of service and pictures of the fetus and fetal measurements; multiple Cancer Conference Summaries that included the patients' full names, dates of birth, medical record numbers, reason for consult, past history, social history, family history, radiology findings, tumor markers, surgery, and pathology; and infectious disease lists that included patients' last names, medical record numbers, diagnoses, antibiotics administered, and organisms identified.


Interviews with the IT Director, Information Security Manager, and Vice President of IT on 12/31/15 at 10:00 AM identified that because the IT Support Center received no calls from email users and no installation of malicious software was detected there was nothing further that could have been done to evaluate the security breach and/or potential release of Protected Health Information (PHI).


While trialing an enhanced security software program between 10/04/15 and 10/06/15, a vendor identified that on 05/27/15, four employees, RN #1, MDs #4,#5, and #6, had logged their names and passwords into the suspicious email. All of the employees emails were auto-forwarded to an unauthorized account. This represented an ongoing phishing attack. Additionally, MD #6 had forwarded his/her hospital emails, including attachments, to his/her spouse's, personal email account. Auto-forwarding was not disabled for these employees until October 2015. The hospital conducted an investigation in October 2015 that included review of all emails sent or received by RN #1, and MDs #4, #5, and #6 for the time period of 05/27/15 through 10/09/15. MD #5's emails contained no PHI, however RN #1, and MDs #4 and #6 contained some combination of full name, last name only, medical record number, date of birth, address, date of service, account number, medications, and diagnosis and involved 946 patients. The email provider determined that all the emails were accessed by the unauthorized user.

Interview with the Chief of Medicine on 12/31/15 at 11:45 AM identified that approximately 2 years ago an attorney provided education regarding email documentation that ensured protection of patient health information during a Peer Review meeting which 30 medical staff members attended. According to the Chief of Medicine, the education included that documentation should include patient initials and medical record numbers only.

Review of the 2015 Quality Improvement and Patient Safety (QIPS) Program description identified that monitoring, evaluation, and improvement of the quality and safety of patient care took place in 23 hospital services but did not include IT (including health information services, HIPAA Privacy and Security, Information Services)

Review of of Quality Improvement/Patient Safety Committee Minutes for 06/16/15, 07/21/15, 08/18/15, 09/15/15, 10/15/15, 10/20/15, and 11/17/15 failed to identify that the security breach was identified and/or reported to the Committee by the President/CEO who attended each meeting.

Interview with the Compliance/Privacy Officer on 01/05/15 identified that he/she had weekly meetings with the Chief Financial Officer (CFO), reported two times per year with the Joint Audit Subcommittee of the Board of Directors, and reported directly to the CEO. He/she reported the breach to the Joint Audit Subcommittee on 12/11/15. Neither compliance nor IT report to QIPS.

This Condition was not met.


Based on review of clinical records, a hospital investigation of a security breach related to a phishing attack on the hospital email system, review of hospital policies and procedures, and interviews regarding four hospital employees whose emails were auto forwarded to an unauthorized email account, the hospital failed to maintain the confidentiality of Protected Health Information (PHI) communicated via email in accordance with hospital education and training that resulted in unauthorized disclosure of elements of 946 Patients' PHI.

Please refer to A 441

Based on review of clinical records, a hospital investigation of a security breach related to a phishing attack on the hospital email system, review of hospital policies and procedures, and interviews regarding four hospital employees whose emails were auto forwarded to an unauthorized email account, the hospital failed to maintain the confidentiality of Protected Health Information (PHI) communicated via email in accordance with hospital education and training that resulted in unauthorized disclosure of elements of 946 Patients' PHI. The findings include:


Review of a hospital documented timeline, investigation and interviews with the the Compliance/Privacy Officer, Vice President (VP) of Information Technology (IT), and IT Director on 12/30/15, 12/31/15, 01/04/16, and 01/05/16 identified that a phishing attack consisting of what looked like a legitimate hospital to employee email communication was received by 88 staff members on 05/27/15 at 5:40 PM. The email directed the user to click on a link, login, and update account activity and that failure to comply with the directive might result in deactivating the email account, interruption of service, or undue errors. The IT department identified the phishing attack late on the night of 05/27/15 and blocked further access to the site by installation of new firewalls. On 05/28/15 at 8:58 AM, the IT director notified all email users of the phishing attack and directed to notify the IT Support Center if the user had clicked on the link. The email provider was updated regarding the attack. The IT Support Center received no calls from email users and no installation of malicious software was detected.

A review of examples of released materials included, in part, a scanned copy of a uterine ultrasound that included the patient's full name, date of service and pictures of the fetus and fetal measurements; multiple Cancer Conference Summaries that included the patients' full names, dates of birth, medical record numbers, reason for consult, past history, social history, family history, radiology findings, tumor markers, surgery, and pathology; and infectious disease lists that included patients' last names, medical record numbers, diagnoses, antibiotics administered, and organisms identified.


Interviews with the IT Director, Information Security Manager, and Vice President of IT on 12/31/15 at 10:00 AM identified that because the IT Support Center received no calls from email users and no installation of malicious software was detected there was nothing further that could have been done to evaluate the security breach and/or potential release of Protected Health Information (PHI).


While trialing an enhanced security software program between 10/04/15 and 10/06/15, a vendor identified that on 05/27/15, four employees, RN #1, MDs #4,#5, and #6 had logged their names and passwords into the suspicious email. All of the employees emails were auto-forwarded to an unauthorized account. This represented an ongoing phishing attack. Additionally, MD #6 had forwarded his/her hospital emails, including attachments, to his/her spouse's personal email account. Auto-forwarding was not disabled for these employees until October 2015.. The hospital conducted an investigation in October 205 that included review of all emails sent or received by RN #1, and MDs #4, #5, and #6 for the time period of 05/27/15 through 10/09/15. MD #5's emails contained no PHI, however RN #1, and MDs #4 and #6 contained some combination of full name, last name only, medical record number, date of birth, address, date of service, account number, medications, and diagnosis and involved 946 patients. The email provider determined that all the emails were accessed by the unauthorized user.

Interview with the Chief of Medicine on 12/31/15 at 11:45 AM identified that approximately 2 years ago an attorney provided education regarding email documentation that ensured protection of patient health information during a Peer Review meeting which 30 medical staff members attended. According to the Chief of Medicine, the education included that documentation should include patient initials and medical record numbers only.

Subsequent to the security breach and hospital investigation a hospital policy was developed and implemented effective 11/2015 entitled Minimum Necessary- PHI on Reports Used for Healthcare Operations, that directed, in part, specific patient identifiers must not be on any reports including full names and/or complete social security numbers