Cyber criminals hacked into part of a computer network at UCLA Health System in California, compromising records of at least 4.5 million people, the university hospital system reported on Friday.
There is no evidence yet the hackers obtained access to or acquired individuals’ PHI, although the compromised areas of the network do contain names, addresses, birthdates, Social Security numbers, medical record numbers, Medicare or health plan numbers, and other medical information, according to a statement from UCLA Health.
The health system is working with the FBI and has also hired private computer forensic experts to secure information on network servers.
Submit your HIPAA questions to Editor John Castelluccio at email@example.com and we will work with our experts to provide the information you need.
Q: Do healthcare organizations need to log all documents before shredding? I have my staff log all documents that were scanned and indexed before they are placed in the bin for shredding. Once I receive the certificate of destruction, we match the log sheets with the certificate of destruction for documentation purposes. Once matched with our log sheets, the certificates of destruction are kept in log books. This is done with the anticipation of court appearance. I will need to produce policies and procedures for certificates of destruction.
The national Blue Cross Blue Shield Association (BCBSA) announced July 14 that it would offer these free services as a permanent benefit to more than 106 million customers at all Blue companies nationwide.
This is the latest step in the health insurance giant’s efforts to protect customer safety and security in a world where cyber-attacks are a constant threat to every business and government entity. BCBS companies have, consequently, taken aggressive steps to protect their customers and lead the healthcare industry in cybersecurity, according to a press statement.
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.