Dedicated to providing the latest
HIPAA compliance news

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified...

Read More
Small Business Cybersecurity Bill Heads to Senate
Apr06

Small Business Cybersecurity Bill Heads to Senate

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate. The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law...

Read More
More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack
Apr04

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and used ransomware to encrypt data, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a...

Read More
SAFER Guides Updated by ONC: Ransomware Prevention and Mitigation Strategies Included
Mar28

SAFER Guides Updated by ONC: Ransomware Prevention and Mitigation Strategies Included

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has updated its SAFER Guides to include information to help healthcare providers protect against ransomware infections and mitigate ransomware attacks. The Safety Assurance Factors for Electronic Health Record Resilience (SAFER) Guides were first released in January 2014 to help healthcare providers improve the...

Read More
What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?
Mar23

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day. Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance...

Read More
WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks
Mar22

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information. The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of...

Read More
Back Up Drive Stolen: PHI of 1,291 Patients Exposed
Mar20

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed. The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23,...

Read More
Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule
Mar20

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient. The patient, Clara Aragon-Delk, underwent a series...

Read More
Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records
Mar17

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017. On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this...

Read More
New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee
Mar15

New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing New Mexico one step closer to becoming the 48th state to introduce data breach notification laws.  The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee. This is not the...

Read More
Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants
Mar14

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed. No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers,...

Read More
Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group
Mar14

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network. A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department...

Read More
68% of Healthcare Organizations Have Compromised Email Accounts
Mar10

68% of Healthcare Organizations Have Compromised Email Accounts

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web. The FBI has also recently warned about Business Email Compromise (BEC). Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare...

Read More
Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients
Mar10

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Saliba’s Extended Care Pharmacy in Phoenix, Arizona is alerting more than 6,500 patients to an accidental disclosure of some of their protected health information (PHI). Copies of invoices for December 2016 were sent via Saliba’s Pharmacy’s encrypted email platform to the wrong patients in January. While there is no chance that the emails could have been intercepted by unauthorized individuals, the emails were opened by three patients...

Read More
Updated HIPAA Compliance Audit Toolkit Issued by AHIMA
Mar07

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities. At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1,...

Read More
Improper Disposal of PHI Discovered by Minneapolis Heart Institute
Mar06

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash. Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a...

Read More
Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Mar06

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations. Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused. In many cases, improper access...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow –...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations...

Read More
OCR Urges Covered Entities to Monitor and Report Cyber Threats
Feb28

OCR Urges Covered Entities to Monitor and Report Cyber Threats

The healthcare system in the United States has suffered a barrage of cyberattacks in recent years and there is no sign that those attacks will ease. In all likelihood, attacks will increase in both number and severity. To counter the increased threat, healthcare organizations, government agencies, the private sector, and international network defense communities must collaborate, says the Department of Health and Human Services’...

Read More
Small Healthcare Data Breach Notification Deadline: March 1, 2017
Feb23

Small Healthcare Data Breach Notification Deadline: March 1, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights. While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the...

Read More
New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough
Feb22

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year. Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement...

Read More
American Senior Communities Says 17,000 Employees Impacted by W-2 Scam
Feb21

American Senior Communities Says 17,000 Employees Impacted by W-2 Scam

American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters. There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed...

Read More
Onsite HIPAA Audits Could Be Delayed by a Year
Feb21

Onsite HIPAA Audits Could Be Delayed by a Year

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed. It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow...

Read More
Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam
Feb17

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email. The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were...

Read More