Dedicated to providing the latest
HIPAA compliance news

NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered....

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015,...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial...

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 16,586,112 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation...

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room...

Read More
Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible
Dec29

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection. The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as...

Read More
November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported
Dec16

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR). The year is certainly not ending well. November saw the highest...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected,...

Read More
IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware
Dec15

IBM: 70% of Businesses Paid Cybercriminals to Unlock Ransomware

Ransomware has grown in popularity over the past two years and 2016 has seen record numbers of attacks on businesses. Cybercriminals see ransomware as an easy way to make money. Rather than having to infiltrate a system, steal data, and sell those data on the black market – a process that can take months before payment is received – a ransomware infection usually results in quick payment of funds. Payments are typically received...

Read More
Quest Diagnostics Announces 34,000-Record ePHI Breach
Dec13

Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach. On November 26, 2016, an unknown individual gained access to the...

Read More
ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities
Dec09

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules. The HIPAA Privacy Rule came into...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st...

Read More
OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails
Dec01

OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels. Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to...

Read More
Healthcare Data Breaches Fell in October
Nov17

Healthcare Data Breaches Fell in October

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen. The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the...

Read More