Dedicated to providing the latest
HIPAA compliance news

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
Feb17

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Feb17

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification...

Read More
Summary of January 2017 Healthcare Data Breaches Released
Feb14

Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported. January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well....

Read More
Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information
Feb13

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data. OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is...

Read More
Majority of Healthcare Organizations Struggling with EHR Interoperability
Feb13

Majority of Healthcare Organizations Struggling with EHR Interoperability

A recent survey from Black Book Market Research has highlighted what hospital administrators and physicians know all too well. Great strides may have been made toward a fully interoperable healthcare system, but important medical data is still not accessible. There are still many problems getting hold of electronic health record data and making it accessible to the people who need it most. Many EHR systems do not have the required...

Read More
IRS Issues Warning About W-2 Phishing Scams
Feb07

IRS Issues Warning About W-2 Phishing Scams

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year. This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The...

Read More
High Costs are Preventing Many Patients from Accessing their Medical Records
Feb02

High Costs are Preventing Many Patients from Accessing their Medical Records

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare. The...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority...

Read More
OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs
Jan30

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist. The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security...

Read More
Tax Season Triggers Wave of W-2 Business Email Compromise Attacks
Jan27

Tax Season Triggers Wave of W-2 Business Email Compromise Attacks

Campbell County Health is the latest victim of a W-2 business email compromise attack, which has resulted in the tax information of 1,457 hospital employees being disclosed to a scammer. The Gillette, WY-based healthcare system discovered Wednesday that an employee had responded to an email request for the W-2 form data of hospital employees. As is common in these scams, the attacker impersonated a hospital executive and requested W-2...

Read More
New Report Reveals 2016 Data Breach Trends
Jan26

New Report Reveals 2016 Data Breach Trends

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred...

Read More
NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered....

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015,...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial...

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation...

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room...

Read More
Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible
Dec29

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection. The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical...

Read More